CVE-2022-37032 and CVE-2022-36440 #13202
Labels
triage
Needs further investigation
Comments
|
This is fixed in 8.4 and above. |
|
Where are the patch(es)? |
|
So correct? |
KanjiMonster
added a commit
to bisdn/meta-openembedded
that referenced
this issue
May 11, 2023
Add a security fix from the stable/8.2 branch for two CVEs for the same vulneratiblity: CVE-2022-36440: A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS. CVE-2022-40302: An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-36440 https://nvd.nist.gov/vuln/detail/CVE-2022-40302 https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/ FRRouting/frr#13202 Patch from: FRRouting/frr@02a0e45 Signed-off-by: Jonas Gorski <[email protected]>
halstead
pushed a commit
to openembedded/meta-openembedded
that referenced
this issue
Jun 7, 2023
Add a security fix from the stable/8.2 branch for two CVEs for the same vulneratiblity: CVE-2022-36440: A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS. CVE-2022-40302: An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-36440 https://nvd.nist.gov/vuln/detail/CVE-2022-40302 https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/ FRRouting/frr#13202 Patch from: FRRouting/frr@02a0e45 Signed-off-by: Jonas Gorski <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/meta-openembedded
that referenced
this issue
Jun 15, 2023
Source: meta-openembedded MR: 126092 Type: Integration Disposition: Merged from meta-openembedded ChangeID: 49c8c1e Description: Add a security fix from the stable/8.2 branch for two CVEs for the same vulneratiblity: CVE-2022-36440: A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS. CVE-2022-40302: An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-36440 https://nvd.nist.gov/vuln/detail/CVE-2022-40302 https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/ FRRouting/frr#13202 Patch from: FRRouting/frr@02a0e45 Signed-off-by: Jonas Gorski <[email protected]> Signed-off-by: Armin Kuster <[email protected]> Signed-off-by: Jeremy A. Puhlman <[email protected]>
xhuff
pushed a commit
to xhuff/meta-openembedded
that referenced
this issue
Jun 16, 2023
Add a security fix from the stable/8.2 branch for two CVEs for the same vulneratiblity: CVE-2022-36440: A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the peek_for_as4_capability function. Attackers can maliciously construct BGP open packets and send them to BGP peers running frr-bgpd, resulting in DoS. CVE-2022-40302: An issue was discovered in bgpd in FRRouting (FRR) through 8.4. By crafting a BGP OPEN message with an option of type 0xff (Extended Length from RFC 9072), attackers may cause a denial of service (assertion failure and daemon restart, or out-of-bounds read). This is possible because of inconsistent boundary checks that do not account for reading 3 bytes (instead of 2) in this 0xff case. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-36440 https://nvd.nist.gov/vuln/detail/CVE-2022-40302 https://cyberriskleaders.com/new-vulnerabilities-disclosed-in-frrouting-software/ FRRouting/frr#13202 Patch from: FRRouting/frr@02a0e45 Signed-off-by: Jonas Gorski <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Github user @spwpun has published two vulnerabilities in frr. Reproducers are included in their disclosures:
https://github.com/spwpun/CVE-2022-37032/blob/main/poc.py
https://github.com/spwpun/pocs/blob/main/frr-bgpd.md
Is there any fix available?
The text was updated successfully, but these errors were encountered: