CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3865 advisory.
------------------------------------------------------------------------- Debian LTS Advisory DLA-3865-1 [email protected] https://www.debian.org/lts/security/ Tobias Frost September 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : frr Version : 7.5.1-1.1+deb11u3 CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949 CVE-2024-44070 Debian Bug : 1008010 1016978 1055852 1079649
Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols. An attacker could craft packages to potentially trigger those effects: buffer overflows with the possibility to gain remote code execution, buffer overreads, crashes or trick the software to enter an infinite loop.
CVE-2022-26125
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.
CVE-2022-26126
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.
CVE-2022-26127
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.
CVE-2022-26128
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c.
CVE-2022-26129
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.
CVE-2022-37035
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.
CVE-2023-38406
bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a flowspec overflow.
CVE-2023-38407
bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.
CVE-2023-46752
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.
CVE-2023-46753
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.
CVE-2023-47234
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.
CVE-2023-47235
An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.
CVE-2024-31948
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
CVE-2024-31949
In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.
CVE-2024-44070
An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.
For Debian 11 bullseye, these problems have been fixed in version 7.5.1-1.1+deb11u3.
We recommend that you upgrade your frr packages.
For the detailed security status of frr please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/frr
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
signature.asc Description: PGP signature
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3865. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(206448);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/03");
script_cve_id(
"CVE-2022-26125",
"CVE-2022-26126",
"CVE-2022-26127",
"CVE-2022-26128",
"CVE-2022-26129",
"CVE-2022-37035",
"CVE-2023-38406",
"CVE-2023-38407",
"CVE-2023-46752",
"CVE-2023-46753",
"CVE-2023-47234",
"CVE-2023-47235",
"CVE-2024-31948",
"CVE-2024-31949",
"CVE-2024-44070"
);
script_name(english:"Debian dla-3865 : frr - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3865 advisory.
-------------------------------------------------------------------------
Debian LTS Advisory DLA-3865-1 [email protected]
https://www.debian.org/lts/security/ Tobias Frost
September 03, 2024 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : frr
Version : 7.5.1-1.1+deb11u3
CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128
CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407
CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235
CVE-2024-31948 CVE-2024-31949 CVE-2024-44070
Debian Bug : 1008010 1016978 1055852 1079649
Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to potentially trigger
those effects: buffer overflows with the possibility to gain remote code
execution, buffer overreads, crashes or trick the software to enter an
infinite loop.
CVE-2022-26125
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.
CVE-2022-26126
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.
CVE-2022-26127
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.
CVE-2022-26128
A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.
CVE-2022-26129
Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.
CVE-2022-37035
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.
CVE-2023-38406
bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
length of zero, aka a flowspec overflow.
CVE-2023-38407
bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
the end of the stream during labeled unicast parsing.
CVE-2023-46752
An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
malformed MP_REACH_NLRI data, leading to a crash.
CVE-2023-46753
An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur for a crafted BGP UPDATE message without mandatory attributes,
e.g., one with only an unknown transit attribute.
CVE-2023-47234
An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
there is a possible use-after-free due to a race condition. This could
lead to Remote Code Execution or Information Disclosure by sending
crafted BGP packets. User interaction is not needed for exploitation.
CVE-2023-47235
An issue was discovered in FRRouting FRR through 9.0.1. A crash can
occur when a malformed BGP UPDATE message with an EOR is processed,
because the presence of EOR does not lead to a treat-as-withdraw
outcome.
CVE-2024-31948
In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.
CVE-2024-31949
In FRRouting (FRR) through 9.1, an infinite loop can occur when
receiving a MP/GR capability as a dynamic capability because malformed
data results in a pointer not advancing.
CVE-2024-44070
An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap
in bgpd/bgp_attr.c does not check the actual remaining stream length
before taking the TLV value.
For Debian 11 bullseye, these problems have been fixed in version
7.5.1-1.1+deb11u3.
We recommend that you upgrade your frr packages.
For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature
Tenable has extracted the preceding description block directly from the Debian security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/frr");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-26125");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-26126");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-26127");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-26128");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-26129");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-37035");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-38406");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-38407");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46752");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-46753");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-47234");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-47235");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-31948");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-31949");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-44070");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/frr");
script_set_attribute(attribute:"solution", value:
"Upgrade the frr packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-26129");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-38406");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/03");
script_set_attribute(attribute:"patch_publication_date", value:"2024/09/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/09/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:frr");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:frr-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:frr-pythontools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:frr-rpki-rtrlib");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:frr-snmp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'frr', 'reference': '7.5.1-1.1+deb11u3'},
{'release': '11.0', 'prefix': 'frr-doc', 'reference': '7.5.1-1.1+deb11u3'},
{'release': '11.0', 'prefix': 'frr-pythontools', 'reference': '7.5.1-1.1+deb11u3'},
{'release': '11.0', 'prefix': 'frr-rpki-rtrlib', 'reference': '7.5.1-1.1+deb11u3'},
{'release': '11.0', 'prefix': 'frr-snmp', 'reference': '7.5.1-1.1+deb11u3'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'frr / frr-doc / frr-pythontools / frr-rpki-rtrlib / frr-snmp');
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26127
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26129
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37035
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38406
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38407
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46752
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46753
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47234
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47235
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31948
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31949
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44070
packages.debian.org/source/bullseye/frr
security-tracker.debian.org/tracker/CVE-2022-26125
security-tracker.debian.org/tracker/CVE-2022-26126
security-tracker.debian.org/tracker/CVE-2022-26127
security-tracker.debian.org/tracker/CVE-2022-26128
security-tracker.debian.org/tracker/CVE-2022-26129
security-tracker.debian.org/tracker/CVE-2022-37035
security-tracker.debian.org/tracker/CVE-2023-38406
security-tracker.debian.org/tracker/CVE-2023-38407
security-tracker.debian.org/tracker/CVE-2023-46752
security-tracker.debian.org/tracker/CVE-2023-46753
security-tracker.debian.org/tracker/CVE-2023-47234
security-tracker.debian.org/tracker/CVE-2023-47235
security-tracker.debian.org/tracker/CVE-2024-31948
security-tracker.debian.org/tracker/CVE-2024-31949
security-tracker.debian.org/tracker/CVE-2024-44070
security-tracker.debian.org/tracker/source-package/frr
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High