CVE-2022-40318

2023-05-0312:16:27

Google

osv.dev

vulnerability

frrouting

bgpd

cve-2022-40318

denial of service

bgp open message

extended length option

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.2%

JSON

An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. NOTE: this behavior occurs in bgp_open_option_parse in the bgp_open.c file, a different location (with a different attack vector) relative to CVE-2022-40302.

CPENameOperatorVersion
frreqfrr-5.1-de
frreqfrr-7.5-de
frreqfrr-3.0-rc1
frreqbase_8.3
frreqfrr-7.3-de
frreqreindent-master-after
frreqfrr-7.1-de
frreqbase_8.0
frreqbase_8.1
frreqbase_7.6

Name	Operator	Version
frr	eq	frr-5.1-de
frr	eq	frr-7.5-de
frr	eq	frr-3.0-rc1
frr	eq	base_8.3
frr	eq	frr-7.3-de
frr	eq	reindent-master-after
frr	eq	frr-7.1-de
frr	eq	base_8.0
frr	eq	base_8.1
frr	eq	base_7.6