Bug 1202023 (CVE-2022-37032) - VUL-0: CVE-2022-37032: frr: out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
Summary: VUL-0: CVE-2022-37032: frr: out-of-bounds read in the BGP daemon may lead to ...
Status: RESOLVED FIXED
Alias: CVE-2022-37032
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/338551/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-37032:7.1:(AV:...
Keywords:
Depends on: 1196957
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-01 10:25 UTC by Carlos López
Modified: 2024-10-25 11:40 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-08-01 10:25:45 UTC
When FRR receives a BGP capability message, the following call trace occurs when an attempt is made to parse it:

```
#0 bgp_capability_msg_parse() in bgpd/bgp_packet.c
#1 bgp_capability_receive() in bgpd/bgp_packet.c
#2 bgp_process_packet() in bgpd/bgp_packet.c
```

In `bgp_capability_msg_parse()`, an inproper calculation on the bounds of the available data is made.

```c
static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
					bgp_size_t length)
{
	...
	end = pnt + length;

	while (pnt < end) {
		/* We need at least action, capability code and capability
		 * length. */
		if (pnt + 3 > end) {
			/* error ... */
		}
		...
		hdr = (struct capability_header *)(pnt + 1);

		...

		/* Capability length check. */
		if ((pnt + hdr->length + 3) > end) {
			/* error ... */
		}

		/* Fetch structure to the byte stream. */
		memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data));
		pnt += hdr->length + 3;

	}

	return BGP_PACKET_NOOP;
}
```

While the first length check is properly done, the second one relies on a value directly read from the packet without verification. `hdr->length` is used to check the remaining amount of data, but the actual amount read is `sizeof(struct capability_mp_data)`. This means that the size check can be bypassed, causing `memcpy()` to read out of bounds.

This issue could be exploited to trigger a segmentation fault, leading to denial of service, or cause undefined behavior via corrupt fields in `mpc`.

This issue was fixed with the following commit:
https://github.com/FRRouting/frr/commit/ff6db1027f8f36df657ff2e5ea167773752537ed
Comment 1 Carlos López 2022-08-01 12:46:07 UTC
Affected:
 - SUSE:SLE-15-SP3:Update
 - openSUSE:Factory
Comment 4 Marius Tomaschewski 2022-09-06 10:26:16 UTC
Submission request to SLE in https://build.suse.de/request/show/279073
Comment 5 Marius Tomaschewski 2022-09-06 10:30:47 UTC
Submission request to network is in https://build.opensuse.org/request/show/1001418
Comment 6 Marius Tomaschewski 2022-09-06 14:49:25 UTC
(In reply to Marius Tomaschewski from comment #5)
> Submission request to network is in
> https://build.opensuse.org/request/show/1001418

On the way to factory in https://build.opensuse.org/request/show/1001456

Assigning back to security-team.
Comment 7 Swamp Workflow Management 2022-09-12 10:24:35 UTC
SUSE-SU-2022:3246-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1202022,1202023
CVE References: CVE-2019-25074,CVE-2022-37032
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    frr-7.4-150300.4.7.1
openSUSE Leap 15.3 (src):    frr-7.4-150300.4.7.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    frr-7.4-150300.4.7.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    frr-7.4-150300.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Carlos López 2022-10-13 14:50:56 UTC
Done, closing.
Comment 16 Maintenance Automation 2024-09-24 20:30:27 UTC
SUSE-SU-2024:3426-1: An update that solves seven vulnerabilities and has one security fix can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243426-1
Category: security (important)
Bug References: 1069468, 1079798, 1079799, 1079800, 1079801, 1202023, 1229438, 1230866
CVE References: CVE-2017-15865, CVE-2018-5378, CVE-2018-5379, CVE-2018-5380, CVE-2018-5381, CVE-2022-37032, CVE-2024-44070
Maintenance Incident: [SUSE:Maintenance:35809](https://smelt.suse.de/incident/35809/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 quagga-1.1.1-17.13.1
SUSE Linux Enterprise Server 12 SP5 (src):
 quagga-1.1.1-17.13.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 quagga-1.1.1-17.13.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 quagga-1.1.1-17.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Maintenance Automation 2024-09-25 12:30:05 UTC
SUSE-SU-2024:3433-1: An update that solves three vulnerabilities can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243433-1
Category: security (important)
Bug References: 1202023, 1229438, 1230866
CVE References: CVE-2017-15865, CVE-2022-37032, CVE-2024-44070
Maintenance Incident: [SUSE:Maintenance:35810](https://smelt.suse.de/incident/35810/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 quagga-1.1.1-150000.4.6.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 quagga-1.1.1-150000.4.6.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 quagga-1.1.1-150000.4.6.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 quagga-1.1.1-150000.4.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 quagga-1.1.1-150000.4.6.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 quagga-1.1.1-150000.4.6.1
SUSE Enterprise Storage 7.1 (src):
 quagga-1.1.1-150000.4.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Maintenance Automation 2024-09-27 16:34:55 UTC
SUSE-SU-2024:3478-1: An update that solves three vulnerabilities can now be installed.

URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243478-1
Category: security (important)
Bug References: 1202023, 1229438, 1230866
CVE References: CVE-2017-15865, CVE-2022-37032, CVE-2024-44070
Maintenance Incident: [SUSE:Maintenance:35806](https://smelt.suse.de/incident/35806/)
Sources used:
openSUSE Leap 15.4 (src):
 quagga-1.1.1-150400.12.8.1
openSUSE Leap 15.5 (src):
 quagga-1.1.1-150400.12.8.1
openSUSE Leap 15.6 (src):
 quagga-1.1.1-150400.12.8.1
Server Applications Module 15-SP5 (src):
 quagga-1.1.1-150400.12.8.1
Server Applications Module 15-SP6 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Manager Proxy 4.3 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Manager Retail Branch Server 4.3 (src):
 quagga-1.1.1-150400.12.8.1
SUSE Manager Server 4.3 (src):
 quagga-1.1.1-150400.12.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.