Flow Specification Overflow Vulnerability in FRRouting Software
CVE-2023-38406

9.8CRITICAL

Key Information:

Vendor: Frrouting
Status: Frrouting
Vendor: CVE Published:; 6 November 2023

What is CVE-2023-38406?

In FRRouting versions prior to 8.4.3, a significant vulnerability exists in the bgpd/bgp_flowspec.c component, where an improper handling of a zero-length Network Layer Reachability Information (NLRI) can lead to a flowspec overflow. This can have serious implications for the routing functionality and could potentially be exploited to disrupt network operations. Users are strongly advised to upgrade to version 8.4.3 or later to mitigate risks associated with this vulnerability, ensuring the integrity and reliability of their network infrastructure.

References

https://github.com/FRRouting/frr/pull/12884

https://github.com/FRRouting/frr/compare/frr-8.4.2...frr-...

https://lists.debian.org/debian-lts-announce/2024/04/msg0...

mailing-list

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2023
Vulnerability Reserved
Jul 17, 2023

Frrouting

What is CVE-2023-38406?

References

CVSS V3.1

Timeline