CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
72.0%
FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote
attacker to cause a denial of service via a crafted BGP update with a
corrupted attribute 23 (Tunnel Encapsulation).
Author | Note |
---|---|
sbeattie | VINCE #1159 |
eslerm | frr merged patch on 2023-08-29 bcb6b58d9 (“bgpd: Use treat-as-withdraw for tunnel encapsulation attribute”) quagga does not implement RFC 7606 |
mdeslaur | This was actually fixed in USN-6323-1, but was not listed because of a copy/paste error |
blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
kb.cert.org/vuls/id/347067
launchpad.net/bugs/cve/CVE-2023-38802
nvd.nist.gov/vuln/detail/CVE-2023-38802
security-tracker.debian.org/tracker/CVE-2023-38802
ubuntu.com/security/notices/USN-6323-1
ubuntu.com/security/notices/USN-6807-1
www.cve.org/CVERecord?id=CVE-2023-38802
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
72.0%