www.forescout.com
Open in
urlscan Pro
141.193.213.21
Public Scan
URL:
https://www.forescout.com/blog/three-new-bgp-message-parsing-vulnerabilities-disclosed-in-frrouting-software/
Submission: On May 03 via api from TR — Scanned from DE
Submission: On May 03 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://www.forescout.com
<form method="get" role="search" action="https://www.forescout.com" class="c-page-top__search-form">
<div class="ep-autosuggest-container"><input class="js-search-field" type="search" name="s" value="" placeholder="Search website..." autocomplete="off">
<div class="ep-autosuggest">
<ul class="autosuggest-list" role="listbox"></ul>
</div>
</div>
</form><form id="mktoForm_11980" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 300px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSkip .mktoButton {
background-color: #8c9cbf;
background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #8c9cbf), color-stop(50%, #546a9e), color-stop(50%, #36518f), color-stop(100%, #3d5691));
background-image: -webkit-linear-gradient(top, #8c9cbf 0%, #546a9e 50%, #36518f 50%, #3d5691 100%);
background-image: -moz-linear-gradient(top, #8c9cbf 0%, #546a9e 50%, #36518f 50%, #3d5691 100%);
background-image: -ms-linear-gradient(top, #8c9cbf 0%, #546a9e 50%, #36518f 50%, #3d5691 100%);
background-image: -o-linear-gradient(top, #8c9cbf 0%, #546a9e 50%, #36518f 50%, #3d5691 100%);
background-image: linear-gradient(to bottom, #8c9cbf 0%, #546a9e 50%, #36518f 50%, #3d5691 100%);
border: 1px solid #172d6e;
border-bottom: 1px solid #0e1d45;
border-radius: 5px;
-webkit-box-shadow: inset 0 1px 0 0 #b1b9cb;
box-shadow: inset 0 1px 0 0 #b1b9cb;
color: #fff;
font: bold 16px/1 "helvetica neue", helvetica, arial, sans-serif;
padding: 7px 0 8px 0;
text-decoration: none;
text-align: center;
text-shadow: 0 -1px 1px #000f4d;
width: 150px;
}
.mktoForm .mktoButtonWrap.mktoSkip .mktoButton:hover {
background-color: #7f8dad;
background-image: -webkit-gradient(linear, left top, left bottom, color-stop(0%, #7f8dad), color-stop(50%, #4a5e8c), color-stop(50%, #2f477d), color-stop(100%, #364c80));
background-image: -webkit-linear-gradient(top, #7f8dad 0%, #4a5e8c 50%, #2f477d 50%, #364c80 100%);
background-image: -moz-linear-gradient(top, #7f8dad 0%, #4a5e8c 50%, #2f477d 50%, #364c80 100%);
background-image: -ms-linear-gradient(top, #7f8dad 0%, #4a5e8c 50%, #2f477d 50%, #364c80 100%);
background-image: -o-linear-gradient(top, #7f8dad 0%, #4a5e8c 50%, #2f477d 50%, #364c80 100%);
background-image: linear-gradient(to bottom, #7f8dad 0%, #4a5e8c 50%, #2f477d 50%, #364c80 100%);
cursor: pointer;
}
.mktoForm .mktoButtonWrap.mktoSkip .mktoButton:active {
-webkit-box-shadow: inset 0 0 20px 0 #1d2845, 0 1px 0 white;
box-shadow: inset 0 0 20px 0 #1d2845, 0 1px 0 white;
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 10px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Company Email " maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth"
style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap"><label for="Company" id="LblCompany" class="mktoLabel mktoHasWidth" style="width: 10px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Company" name="Company" placeholder="Company Name" maxlength="255" aria-labelledby="LblCompany InstructCompany" type="text"
class="mktoField mktoTextField mktoHasWidth" style="width: 150px;"><span id="InstructCompany" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSkip" style="margin-left: 120px;"><button type="submit" class="mktoButton">Sign up!</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="11980"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="124-WUR-613">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;">
</form>Text Content
* Blog
* Contact Us
* Customer Login
Demo
Select Region
* Français
* Español
* Deutsch
* Italiano
* 日本語
* 中文
Open Search
* Solutions
NETWORK SECURITY
* Network Access Control
* Network Segmentation
* Security Automation
RISK & EXPOSURE MANAGEMENT
* IoT Security
* OT Security
* IoMT - Medical Device Security
* Asset Inventory
* Zero Trust
INDUSTRY
* Financial Services
* Government
* Healthcare
* Energy & Utilities
* Oil & Gas
* Manufacturing
* Education
COMPLIANCE
* Compliance Center
* Device Compliance
* Platform
* PLATFORM
*
* Explore XDR
PRODUCTS
* XDR
* eyeSight
* eyeInspect
* eyeSegment
* eyeControl
* eyeExtend
ASSISTANCE
* Assist for Forescout XDR
* 24/7 Monitoring for OT/ICS
* 24/7 Monitoring for Healthcare
* Research
INTELLIGENCE DASHBOARD
*
* Live Dashboard
RESEARCH
* Overview
* OT:ICEFALL
* R4IoT
* Access:7
* Project Memoria
* Vendor Security Advisories
THREAT REPORTS
* Overview
* 2022 Threat Roundup
* PIPEDREAM
* KILLNET
* Emotet
* ALPHV
* Night Sky Ransomware
VEDERE LABS
* About Vedere Labs
* Contact Vedere Labs
* Support Hub
SUPPORT
* Customer Support
* Technical Documentation
* Support Portal
* End of Life
PROFESSIONAL SERVICES
* Professional Services
LEARNING
* Training
* How-To Videos
ENGAGEMENT
* Customer Advocacy
* Resources
* Resources
* Blog
* Webinars
* Events
* Success Stories
* Partners
* Ecosystem Overview
* Resellers
* Distributors
* Technology Partners
* Industrial Automation & Control Partners
* Service Delivery Partner
* Global System Integators
* Company
* About Us
* Awards & Recognitions
* Leadership
* Press & Media
* Contact Us
* Careers
* Legal
Show/Hide Menu
* Solutions Open Dropdown
NETWORK SECURITY
* Network Access Control
* Network Segmentation
* Security Automation
RISK & EXPOSURE MANAGEMENT
* IoT Security
* OT Security
* IoMT - Medical Device Security
* Asset Inventory
* Zero Trust
INDUSTRY
* Financial Services
* Government
* Healthcare
* Energy & Utilities
* Oil & Gas
* Manufacturing
* Education
COMPLIANCE
* Compliance Center
* Device Compliance
* Platform Open Dropdown
* PLATFORM
*
* Explore XDR
PRODUCTS
* XDR
* eyeSight
* eyeInspect
* eyeSegment
* eyeControl
* eyeExtend
ASSISTANCE
* Assist for Forescout XDR
* 24/7 Monitoring for OT/ICS
* 24/7 Monitoring for Healthcare
* Research Open Dropdown
INTELLIGENCE DASHBOARD
*
* Live Dashboard
RESEARCH
* Overview
* OT:ICEFALL
* R4IoT
* Access:7
* Project Memoria
* Vendor Security Advisories
THREAT REPORTS
* Overview
* 2022 Threat Roundup
* PIPEDREAM
* KILLNET
* Emotet
* ALPHV
* Night Sky Ransomware
VEDERE LABS
* About Vedere Labs
* Contact Vedere Labs
* Support Hub Open Dropdown
SUPPORT
* Customer Support
* Technical Documentation
* Support Portal
* End of Life
PROFESSIONAL SERVICES
* Professional Services
LEARNING
* Training
* How-To Videos
ENGAGEMENT
* Customer Advocacy
* Resources Open Dropdown
* Resources
* Blog
* Webinars
* Events
* Success Stories
* Partners Open Dropdown
* Ecosystem Overview
* Resellers
* Distributors
* Technology Partners
* Industrial Automation & Control Partners
* Service Delivery Partner
* Global System Integators
* Company Open Dropdown
* About Us
* Awards & Recognitions
* Leadership
* Press & Media
* Contact Us
* Careers
* Legal
Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom
row is one light blue dot followed by two orange dots. Blog
THREE NEW BGP MESSAGE PARSING VULNERABILITIES DISCLOSED IN FRROUTING SOFTWARE
Forescout Vedere Labs | May 2, 2023
Share This: Share on LinkedIn Share on Twitter Share on Facebook
In our new vulnerability research report, Forescout Vedere Labs discusses an
often-overlooked aspect of Border Gateway Protocol (BGP) security:
vulnerabilities in its software implementations. More specifically,
vulnerabilities in BGP message parsing found in the popular FRRouting
implementation that could be exploited by attackers to achieve a denial of
service (DoS) condition on vulnerable BGP peers.
Some software suites implementing BGP are nowadays used by major networking
vendors and relied upon by large parts of the internet. One recent BGP incident
shows that it might take only a malformed packet to cause a potentially large
disruption.
Today, BGP is found in unexpected places beyond ISPs. For instance, BGP is
commonly used internally to route the traffic in large data centers and BGP
extensions, such as MP-BGP, are widely deployed for MPLS L3 VPNs. Therefore,
organizations should not rely only on their ISPs to handle BGP security.
We analyzed seven implementations of BGP and found three new vulnerabilities in
one leading open-source implementation, FRRouting, which could be exploited by
attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all
BGP sessions and routing tables and rendering the peer unresponsive.
Our research shows that modern BGP implementations still have low-hanging fruit
that can be abused by attackers. As part of this research, we are releasing an
open-source tool for organizations to test the security of the BGP suites they
use internally and for researchers to find new vulnerabilities in BGP
implementations.
WHAT IS BGP AND WHY CONTINUE TO ANALYZE IT?
BGP is the main routing protocol for the internet. It allows individual
autonomous systems (ASes), which are blocks of IPs leased to an organization for
a certain time by a registrar, to exchange routing and reachability information.
When BGP fails, an AS may become unreachable because others cannot route their
packets there and the unreachable AS becomes cut off from the rest of the
internet. When BGP is abused by threat actors, network traffic may be rerouted
through unintended locations.
There are both accidental and intentional disruptions of routing on the
internet, since BGP was not initially designed with security in mind. Original
BGP weaknesses that may lead to major incidents and internet outages have been
known for a long time. For example, in a 2018 incident, traffic for Google IP
addresses was routed through China Telecom for more than an hour. In July 2022,
the Russian ISP Rostelecom announced routes for parts of Apple’s network,
resulting in connections to Apple’s services potentially being redirected
through Russia for more than 12 hours.
There has been a lot of research on the (in)security of the BGP protocol itself
but the various projects that implement BGP have not received the same level of
attention in the security community. Various implementations may be vulnerable,
leaving BGP peers wide open for attacks. The most recent systematic work we
found about security testing of BGP implementations was published 20 years ago.
NEW VULNERABILITIES IN BGP IMPLEMENTATIONS
We analyzed seven popular BGP implementations, three open source (FRRouting,
BIRD, OpenBGPd) and four closed source (Mikrotik RouterOS, Juniper JunOS, Cisco
IOS, Arista EOS), using both manual analysis and fuzzing.
We found three new vulnerabilities in the latest release of Free Range Routing
(FRRouting) at the time – version 8.4, released on Nov 7, 2022. The
vulnerabilities are summarized in the table below and detailed in the technical
report.
CVE ID Description CVSSv3.1 Potential Impact CVE-2022-40302 Out-of-bounds read
when processing a malformed BGP OPEN message with an Extended Optional
Parameters Length option. 6.5 DoS CVE-2022-40318 Out-of-bounds read when
processing a malformed BGP OPEN message with an Extended Optional Parameters
Length option. This is a different issue from CVE-2022-40302. 6.5 DoS
CVE-2022-43681 Out-of-bounds read when processing a malformed BGP OPEN message
that abruptly ends with the option length octet (or the option length word, in
case of OPEN with extended option lengths message). 6.5 DoS
The issues were reported to the FRRouting team and fixed in the following
versions:
* CVE-2022-40302 and CVE-2022-40318:
https://github.com/FRRouting/frr/pull/12043
* CVE-2022-43681: https://github.com/FRRouting/frr/pull/12247
IMPACT ANALYSIS OF FRROUTING VULNERABILITIES
FRRouting was forked from another open source project called Quagga in 2016 by
developers from several commercial organizations and is currently used in the
networking solutions of several major vendors, including nVidia Cumulus, which
in turn is adopted by large organizations such as PayPal, Yahoo, Qualcomm and
the Dutch National Police; DENT, which is mainly supported by Amazon; and SONiC,
which is mainly supported by Microsoft and used in some Juniper routers.
Attackers may leverage any of the three new vulnerabilities to achieve a DoS on
a vulnerable BGP peer, thus dropping all BGP sessions and routing tables and
rendering the peer unresponsive for several seconds. The DoS condition may be
prolonged indefinitely by repeatedly sending malformed packets.
Two of these issues (CVE-2022-40302 and CVE-2022-43681) can be triggered before
FRRouting validates BGP Identifier and ASN fields. While FRRouting only allows
connections between configured peers by default (e.g., OPEN messages from hosts
not present in the config files will not be accepted), in this case attackers
only need to spoof a valid IP address of a trusted peer. Another possibility for
the attacker is to take advantage of misconfigurations or attempt to compromise
a legitimate peer by exploiting other vulnerabilities. Similar DoS
vulnerabilities in FRRouting have already caused notable disruptions, and they
must be fixed.
There are over 330,000 hosts with BGP enabled on the internet and close to 1,000
of those reply to unsolicited BGP OPEN messages. Most of the BGP hosts are in
China (close to 100,000), the US (50,000) and the UK (16,000). We also see more
than 200,000 hosts running Quagga and more than 1,000 running FRRouting (not all
of them with BGP enabled). Again, China comes on top with more than 170,000
hosts followed by the U.S. with 15,000 and Japan with close to 4,000.
BGP SECURITY OPEN-SOURCE TESTING TOOL
As part of this research, we are releasing an open-source tool for organizations
to test the security of the BGP suites they use internally and for researchers
to find new vulnerabilities in BGP implementations.
The tool has several scripts available out of the box with proofs of concept for
the vulnerabilities we found and test cases for the BGP OPEN, UPDATE, ROTE
REFRESH and NOTIFICATION messages. The proofs of concept can be run directly
against a device to test if it is vulnerable, while the test cases can be run
against new implementations to search for new vulnerabilities.
To support these test cases, the tool provides a crash monitor that checks
whether the latest test case has crashed the target and generates a
proof-of-concept exploit out of the latest failed test case. The monitor also
attempts to restart the target if its process dies, which is convenient for
running long campaigns. Currently, the monitor supports FRRouting, BIRD and
OpenBGPD, but it can be extended to other targets as well.
CONCLUSION AND MITIGATION RECOMMENDATIONS
After reviewing and testing the selected implementations, we can assume that
they are robust against malformed packets. This is not surprising, considering
that these are mature and actively developed projects with many contributors.
Nevertheless, we were surprised by our findings in the FRRouting project: it is
interesting to see evidence that BGP message parsing issues can still be found
in major projects with a good history of security patches. The fact that
FRRouting provides wide support for fuzzing its own code suggests that a few
“shallow” bugs may still slip through the cracks.
Since BGP is such an integral part of the internet, there are several guidelines
on how to secure it, such as those from the Internet Society, RIPE NCC, NIST and
the NSA. However, those guidelines tend to focus on the known issues with BGP
insecurity and how to deploy RPKI.
Also, because of the supply chain effect we have seen in past research,
vulnerabilities on open-source components tend to spread widely. The new issues
CVE-2022-40302 and CVE-2022-40318, for instance, clearly show how the same
vulnerable code may be present in multiple places of a code base and serve as a
root cause for several vulnerabilities. Similar (or the same) code could be
present in other projects and affect several products using FRRouting or one of
the networking operating systems that rely on it, such as Cumulus, SONiC and
DENT, mentioned above.
To mitigate the risk of vulnerable BGP implementations, such as the FRRouting
issues we found, the best recommendation is to patch network infrastructure
devices as often as possible. To do so, you must first have an updated asset
inventory that keeps track of all the networking devices in your organization
and the versions of software running on them. This is much easier to achieve
with software that provides granular visibility for every device in the network.
For a deeper dive into our methodology and technical analysis of the findings,
read the full report.
Read the Report
Share This: Share on LinkedIn Share on Twitter Share on Facebook
GET THE LATEST FROM FORESCOUT
*
*
Sign up!
* Solutions
* Platform
* Vedere Labs
* Resources
* Partners
* Company
* Careers
* Blog
* Contact Us
* Visit us on Linkedin
* Visit us on Twitter
* Visit us on Facebook
* Visit us on Youtube
© Forescout 2023
* Privacy@Forescout
* Terms of Use
* Legal
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
Back Button Performance Cookies
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
*
View Cookies
* Name
cookie name
Confirm My Choices
We use cookies to help improve this website and further enhance your browsing
experience, as further described here. If you choose not to disable the cookies,
you have expressly agreed to our use of cookies.
Cookies Settings Accept All Cookies