Bug 1202023 (CVE-2022-37032)

Summary: VUL-0: CVE-2022-37032: frr: out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, jsegitz, mardnh, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/338551/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-37032:7.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1196957    
Bug Blocks:    

Description Carlos López 2022-08-01 10:25:45 UTC
When FRR receives a BGP capability message, the following call trace occurs when an attempt is made to parse it:

```
#0 bgp_capability_msg_parse() in bgpd/bgp_packet.c
#1 bgp_capability_receive() in bgpd/bgp_packet.c
#2 bgp_process_packet() in bgpd/bgp_packet.c
```

In `bgp_capability_msg_parse()`, an inproper calculation on the bounds of the available data is made.

```c
static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
					bgp_size_t length)
{
	...
	end = pnt + length;

	while (pnt < end) {
		/* We need at least action, capability code and capability
		 * length. */
		if (pnt + 3 > end) {
			/* error ... */
		}
		...
		hdr = (struct capability_header *)(pnt + 1);

		...

		/* Capability length check. */
		if ((pnt + hdr->length + 3) > end) {
			/* error ... */
		}

		/* Fetch structure to the byte stream. */
		memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
		pnt += hdr->length + 3;

	}

	return BGP_PACKET_NOOP;
}
```

While the first length check is properly done, the second one relies on a value directly read from the packet without verification. `hdr->length` is used to check the remaining amount of data, but the actual amount read is `sizeof(struct capability_mp_data)`. This means that the size check can be bypassed, causing `memcpy()` to read out of bounds.

This issue could be exploited to trigger a segmentation fault, leading to denial of service, or cause undefined behavior via corrupt fields in `mpc`.

This issue was fixed with the following commit:
https://github.com/FRRouting/frr/commit/ff6db1027f8f36df657ff2e5ea167773752537ed
Comment 1 Carlos López 2022-08-01 12:46:07 UTC
Affected:
 - SUSE:SLE-15-SP3:Update
 - openSUSE:Factory
Comment 4 Marius Tomaschewski 2022-09-06 10:26:16 UTC
Submission request to SLE in https://build.suse.de/request/show/279073
Comment 5 Marius Tomaschewski 2022-09-06 10:30:47 UTC
Submission request to network is in https://build.opensuse.org/request/show/1001418
Comment 6 Marius Tomaschewski 2022-09-06 14:49:25 UTC
(In reply to Marius Tomaschewski from comment #5)
> Submission request to network is in
> https://build.opensuse.org/request/show/1001418

On the way to factory in https://build.opensuse.org/request/show/1001456

Assigning back to security-team.
Comment 7 Swamp Workflow Management 2022-09-12 10:24:35 UTC
SUSE-SU-2022:3246-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1202022,1202023
CVE References: CVE-2019-25074,CVE-2022-37032
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    frr-7.4-150300.4.7.1
openSUSE Leap 15.3 (src):    frr-7.4-150300.4.7.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    frr-7.4-150300.4.7.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    frr-7.4-150300.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Carlos López 2022-10-13 14:50:56 UTC
Done, closing.