Three New BGP Message Parsing Vulnerabilities Disclosed in FRRouting Software
In our new vulnerability research report, Forescout Vedere Labs discusses an often-overlooked aspect of Border Gateway Protocol (BGP) security: vulnerabilities in its software implementations. More specifically, vulnerabilities in BGP message parsing found in the popular FRRouting implementation that could be exploited by attackers to achieve a denial of service (DoS) condition on vulnerable BGP peers.
Some software suites implementing BGP are nowadays used by major networking vendors and relied upon by large parts of the internet. One recent BGP incident shows that it might take only a malformed packet to cause a potentially large disruption.
Today, BGP is found in unexpected places beyond ISPs. For instance, BGP is commonly used internally to route the traffic in large data centers and BGP extensions, such as MP-BGP, are widely deployed for MPLS L3 VPNs. Therefore, organizations should not rely only on their ISPs to handle BGP security.
We analyzed seven implementations of BGP and found three new vulnerabilities in one leading open-source implementation, FRRouting, which could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive.
Our research shows that modern BGP implementations still have low-hanging fruit that can be abused by attackers. As part of this research, we are releasing an open-source tool for organizations to test the security of the BGP suites they use internally and for researchers to find new vulnerabilities in BGP implementations.
What is BGP and why continue to analyze it?
BGP is the main routing protocol for the internet. It allows individual autonomous systems (ASes), which are blocks of IPs leased to an organization for a certain time by a registrar, to exchange routing and reachability information.
When BGP fails, an AS may become unreachable because others cannot route their packets there and the unreachable AS becomes cut off from the rest of the internet. When BGP is abused by threat actors, network traffic may be rerouted through unintended locations.
There are both accidental and intentional disruptions of routing on the internet, since BGP was not initially designed with security in mind. Original BGP weaknesses that may lead to major incidents and internet outages have been known for a long time. For example, in a 2018 incident, traffic for Google IP addresses was routed through China Telecom for more than an hour. In July 2022, the Russian ISP Rostelecom announced routes for parts of Apple’s network, resulting in connections to Apple’s services potentially being redirected through Russia for more than 12 hours.
There has been a lot of research on the (in)security of the BGP protocol itself but the various projects that implement BGP have not received the same level of attention in the security community. Various implementations may be vulnerable, leaving BGP peers wide open for attacks. The most recent systematic work we found about security testing of BGP implementations was published 20 years ago.
New vulnerabilities in BGP implementations
We analyzed seven popular BGP implementations, three open source (FRRouting, BIRD, OpenBGPd) and four closed source (Mikrotik RouterOS, Juniper JunOS, Cisco IOS, Arista EOS), using both manual analysis and fuzzing.
We found three new vulnerabilities in the latest release of Free Range Routing (FRRouting) at the time – version 8.4, released on Nov 7, 2022. The vulnerabilities are summarized in the table below and detailed in the technical report.
CVE ID | Description | CVSSv3.1 | Potential Impact |
---|---|---|---|
CVE-2022-40302 | Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option. | 6.5 | DoS |
CVE-2022-40318 | Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option. This is a different issue from CVE-2022-40302. | 6.5 | DoS |
CVE-2022-43681 | Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet (or the option length word, in case of OPEN with extended option lengths message). | 6.5 | DoS |
The issues were reported to the FRRouting team and fixed in the following versions:
- CVE-2022-40302 and CVE-2022-40318: https://github.com/FRRouting/frr/pull/12043
- CVE-2022-43681: https://github.com/FRRouting/frr/pull/12247
Impact analysis of FRRouting vulnerabilities
FRRouting was forked from another open source project called Quagga in 2016 by developers from several commercial organizations and is currently used in the networking solutions of several major vendors, including nVidia Cumulus, which in turn is adopted by large organizations such as PayPal, Yahoo, Qualcomm and the Dutch National Police; DENT, which is mainly supported by Amazon; and SONiC, which is mainly supported by Microsoft and used in some Juniper routers.
Attackers may leverage any of the three new vulnerabilities to achieve a DoS on a vulnerable BGP peer, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive for several seconds. The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets.
Two of these issues (CVE-2022-40302 and CVE-2022-43681) can be triggered before FRRouting validates BGP Identifier and ASN fields. While FRRouting only allows connections between configured peers by default (e.g., OPEN messages from hosts not present in the config files will not be accepted), in this case attackers only need to spoof a valid IP address of a trusted peer. Another possibility for the attacker is to take advantage of misconfigurations or attempt to compromise a legitimate peer by exploiting other vulnerabilities. Similar DoS vulnerabilities in FRRouting have already caused notable disruptions, and they must be fixed.
There are over 330,000 hosts with BGP enabled on the internet and close to 1,000 of those reply to unsolicited BGP OPEN messages. Most of the BGP hosts are in China (close to 100,000), the US (50,000) and the UK (16,000). We also see more than 200,000 hosts running Quagga and more than 1,000 running FRRouting (not all of them with BGP enabled). Again, China comes on top with more than 170,000 hosts followed by the U.S. with 15,000 and Japan with close to 4,000.
BGP security open-source testing tool
As part of this research, we are releasing an open-source tool for organizations to test the security of the BGP suites they use internally and for researchers to find new vulnerabilities in BGP implementations.
The tool has several scripts available out of the box with proofs of concept for the vulnerabilities we found and test cases for the BGP OPEN, UPDATE, ROTE REFRESH and NOTIFICATION messages. The proofs of concept can be run directly against a device to test if it is vulnerable, while the test cases can be run against new implementations to search for new vulnerabilities.
To support these test cases, the tool provides a crash monitor that checks whether the latest test case has crashed the target and generates a proof-of-concept exploit out of the latest failed test case. The monitor also attempts to restart the target if its process dies, which is convenient for running long campaigns. Currently, the monitor supports FRRouting, BIRD and OpenBGPD, but it can be extended to other targets as well.
Conclusion and mitigation recommendations
After reviewing and testing the selected implementations, we can assume that they are robust against malformed packets. This is not surprising, considering that these are mature and actively developed projects with many contributors.
Nevertheless, we were surprised by our findings in the FRRouting project: it is interesting to see evidence that BGP message parsing issues can still be found in major projects with a good history of security patches. The fact that FRRouting provides wide support for fuzzing its own code suggests that a few “shallow” bugs may still slip through the cracks.
Since BGP is such an integral part of the internet, there are several guidelines on how to secure it, such as those from the Internet Society, RIPE NCC, NIST and the NSA. However, those guidelines tend to focus on the known issues with BGP insecurity and how to deploy RPKI.
Also, because of the supply chain effect we have seen in past research, vulnerabilities on open-source components tend to spread widely. The new issues CVE-2022-40302 and CVE-2022-40318, for instance, clearly show how the same vulnerable code may be present in multiple places of a code base and serve as a root cause for several vulnerabilities. Similar (or the same) code could be present in other projects and affect several products using FRRouting or one of the networking operating systems that rely on it, such as Cumulus, SONiC and DENT, mentioned above.
To mitigate the risk of vulnerable BGP implementations, such as the FRRouting issues we found, the best recommendation is to patch network infrastructure devices as often as possible. To do so, you must first have an updated asset inventory that keeps track of all the networking devices in your organization and the versions of software running on them. This is much easier to achieve with software that provides granular visibility for every device in the network.
For a deeper dive into our methodology and technical analysis of the findings, read the full report.