Page MenuHomeVyOS Platform

CVE-2024-55553 attacker can continuously trigger route validation in FRRouting (FRR) before 10.3 from 6.0 onward,
Open, NormalPublicBUG

Description

In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. This can be used by an attacker to trigger re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically.

Furthermore, an attacker can use this to continuously trigger route validation. Given that routers with large full-tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact route handling performance of all FRR instances using RPKI globally.

Additionally, the re-validation will cause heightened BMP traffic to ingestors.

Affected Versions: FRRouting <6.0

Fixed Versions: 10.0.3, 10.1.2, 10.2.1, 10.3

Details

Version
1.4.1
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Security vulnerability

Event Timeline

here is C code where is Fixed for Versions: 10.0.3, 10.1.2, 10.2.1, 10.3 : https://github.com/FRRouting/frr/pull/17586/commits/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3 , but I think it shouldn't affect to frr- 9.1.2 which is used in the 1.4 sagitta, it was refactored in the newest version :

https://github.com/FRRouting/frr/blob/rc/9.1.2/bgpd/bgp_rpki.c#L589

Viacheslav triaged this task as Normal priority.Thu, Jan 9, 10:00 AM