-------------------------------------------------------------------------
Debian LTS Advisory DLA-3865-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
September 03, 2024                            https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : frr
Version        : 7.5.1-1.1+deb11u3
CVE ID         : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 
                 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 
                 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 
                 CVE-2024-31948 CVE-2024-31949 CVE-2024-44070
Debian Bug     : 1008010 1016978 1055852 1079649

Several vulnerabilities have been found in frr, the FRRouting suite of
internet protocols. An attacker could craft packages to potentially trigger
those effects: buffer overflows with the possibility to gain remote code
execution, buffer overreads, crashes or trick the software to enter an
infinite loop.

CVE-2022-26125

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    the use of strdup with a non-zero-terminated binary string in
    isis_nb_notifications.c.

CVE-2022-26127

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    missing a check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26128

    A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
    a wrong check on the input packet length in the babel_packet_examin
    function in babeld/message.c.

CVE-2022-26129

    Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
    wrong checks on the subtlv length in the functions, parse_hello_subtlv,
    parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-38406

    bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri
    length of zero, aka a "flowspec overflow."

CVE-2023-38407

    bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond
    the end of the stream during labeled unicast parsing.

CVE-2023-46752

    An issue was discovered in FRRouting FRR through 9.0.1. It mishandles
    malformed MP_REACH_NLRI data, leading to a crash.

CVE-2023-46753

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur for a crafted BGP UPDATE message without mandatory attributes,
    e.g., one with only an unknown transit attribute.

CVE-2023-47234

    An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
    bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,
    there is a possible use-after-free due to a race condition. This could
    lead to Remote Code Execution or Information Disclosure by sending
    crafted BGP packets. User interaction is not needed for exploitation.

CVE-2023-47235

    An issue was discovered in FRRouting FRR through 9.0.1. A crash can
    occur when a malformed BGP UPDATE message with an EOR is processed,
    because the presence of EOR does not lead to a treat-as-withdraw
    outcome.

CVE-2024-31948

    In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID
    attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

CVE-2024-31949

    In FRRouting (FRR) through 9.1, an infinite loop can occur when
    receiving a MP/GR capability as a dynamic capability because malformed
    data results in a pointer not advancing.

CVE-2024-44070

    An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap
    in bgpd/bgp_attr.c does not check the actual remaining stream length
    before taking the TLV value.

For Debian 11 bullseye, these problems have been fixed in version
7.5.1-1.1+deb11u3.

We recommend that you upgrade your frr packages.

For the detailed security status of frr please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/frr

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Debian LTS: DLA-3865-1: frr Security Advisory Updates

September 3, 2024
Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols

Summary

CVE-2022-26125

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the input packet length in isisd/isis_tlvs.c.

CVE-2022-26126

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
the use of strdup with a non-zero-terminated binary string in
isis_nb_notifications.c.

CVE-2022-26127

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
missing a check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26128

A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to
a wrong check on the input packet length in the babel_packet_examin
function in babeld/message.c.

CVE-2022-26129

Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to
wrong checks on the subtlv length in the functions, parse_hello_subtlv,
parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

CVE-2022-37035

An issue was discovered...

Read the Full Advisory


Severity
Package : frr
Version : 7.5.1-1.1+deb11u3
CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128
Debian Bug : 1008010 1016978 1055852 1079649

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved