Bug 1223786 (CVE-2024-34088)

Summary: VUL-0: CVE-2024-34088: frr,quagga: frr: null pointer via get_edge() function can trigger a denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: camila.matos, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/403668/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-34088:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-05-02 17:39:00 UTC 
In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34088
https://www.cve.org/CVERecord?id=CVE-2024-34088
https://github.com/FRRouting/frr/pull/15674/commits/34d704fb0ea60dc5063af477a2c11d4884984d4f
https://bugzilla.redhat.com/show_bug.cgi?id=2278067
Comment 2 Camila Camargo de Matos 2024-05-02 17:41:25 UTC 
As of 2024-04-02, the upstream PR that contains a suggested fix for this issue [0] has not yet been merged.

[0] https://github.com/FRRouting/frr/pull/15674
Comment 3 Camila Camargo de Matos 2024-05-02 17:47:48 UTC 
The vulnerable code seems to have been introduced with commit https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (which is in turn a part of https://github.com/FRRouting/frr/pull/8137). Therefore, it is likely that frr packages at versions prior to 8.0.0 are not affected by this issue.
Comment 11 Maintenance Automation 2024-06-10 20:30:01 UTC 
SUSE-SU-2024:1971-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222526, 1222528, 1223786
CVE References: CVE-2024-31950, CVE-2024-31951, CVE-2024-34088
Maintenance Incident: [SUSE:Maintenance:34170](https://smelt.suse.de/incident/34170/)
Sources used:
openSUSE Leap 15.5 (src):
 frr-8.4-150500.4.23.1
openSUSE Leap 15.6 (src):
 frr-8.4-150500.4.23.1
Server Applications Module 15-SP5 (src):
 frr-8.4-150500.4.23.1
Server Applications Module 15-SP6 (src):
 frr-8.4-150500.4.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Andrea Mattiazzo 2024-06-12 07:48:45 UTC 
All done, closing.