|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2022-37032: frr: out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Carlos López <carlos.lopez> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | carlos.lopez, jsegitz, mardnh, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/338551/ | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2022-37032:7.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 1196957 | ||
| Bug Blocks: | |||
Affected: - SUSE:SLE-15-SP3:Update - openSUSE:Factory Submission request to SLE in https://build.suse.de/request/show/279073 Submission request to network is in https://build.opensuse.org/request/show/1001418 (In reply to Marius Tomaschewski from comment #5) > Submission request to network is in > https://build.opensuse.org/request/show/1001418 On the way to factory in https://build.opensuse.org/request/show/1001456 Assigning back to security-team. SUSE-SU-2022:3246-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1202022,1202023 CVE References: CVE-2019-25074,CVE-2022-37032 JIRA References: Sources used: openSUSE Leap 15.4 (src): frr-7.4-150300.4.7.1 openSUSE Leap 15.3 (src): frr-7.4-150300.4.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): frr-7.4-150300.4.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): frr-7.4-150300.4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Done, closing. |
When FRR receives a BGP capability message, the following call trace occurs when an attempt is made to parse it: ``` #0 bgp_capability_msg_parse() in bgpd/bgp_packet.c #1 bgp_capability_receive() in bgpd/bgp_packet.c #2 bgp_process_packet() in bgpd/bgp_packet.c ``` In `bgp_capability_msg_parse()`, an inproper calculation on the bounds of the available data is made. ```c static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, bgp_size_t length) { ... end = pnt + length; while (pnt < end) { /* We need at least action, capability code and capability * length. */ if (pnt + 3 > end) { /* error ... */ } ... hdr = (struct capability_header *)(pnt + 1); ... /* Capability length check. */ if ((pnt + hdr->length + 3) > end) { /* error ... */ } /* Fetch structure to the byte stream. */ memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data)); pnt += hdr->length + 3; } return BGP_PACKET_NOOP; } ``` While the first length check is properly done, the second one relies on a value directly read from the packet without verification. `hdr->length` is used to check the remaining amount of data, but the actual amount read is `sizeof(struct capability_mp_data)`. This means that the size check can be bypassed, causing `memcpy()` to read out of bounds. This issue could be exploited to trigger a segmentation fault, leading to denial of service, or cause undefined behavior via corrupt fields in `mpc`. This issue was fixed with the following commit: https://github.com/FRRouting/frr/commit/ff6db1027f8f36df657ff2e5ea167773752537ed