Bugzilla – Bug 1202023
VUL-0: CVE-2022-37032: frr: out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
Last modified: 2024-10-25 11:40:37 UTC
When FRR receives a BGP capability message, the following call trace occurs when an attempt is made to parse it: ``` #0 bgp_capability_msg_parse() in bgpd/bgp_packet.c #1 bgp_capability_receive() in bgpd/bgp_packet.c #2 bgp_process_packet() in bgpd/bgp_packet.c ``` In `bgp_capability_msg_parse()`, an inproper calculation on the bounds of the available data is made. ```c static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt, bgp_size_t length) { ... end = pnt + length; while (pnt < end) { /* We need at least action, capability code and capability * length. */ if (pnt + 3 > end) { /* error ... */ } ... hdr = (struct capability_header *)(pnt + 1); ... /* Capability length check. */ if ((pnt + hdr->length + 3) > end) { /* error ... */ } /* Fetch structure to the byte stream. */ memcpy(&mpc, pnt + 3, sizeof(struct capability_mp_data)); pnt += hdr->length + 3; } return BGP_PACKET_NOOP; } ``` While the first length check is properly done, the second one relies on a value directly read from the packet without verification. `hdr->length` is used to check the remaining amount of data, but the actual amount read is `sizeof(struct capability_mp_data)`. This means that the size check can be bypassed, causing `memcpy()` to read out of bounds. This issue could be exploited to trigger a segmentation fault, leading to denial of service, or cause undefined behavior via corrupt fields in `mpc`. This issue was fixed with the following commit: https://github.com/FRRouting/frr/commit/ff6db1027f8f36df657ff2e5ea167773752537ed
Affected: - SUSE:SLE-15-SP3:Update - openSUSE:Factory
Submission request to SLE in https://build.suse.de/request/show/279073
Submission request to network is in https://build.opensuse.org/request/show/1001418
(In reply to Marius Tomaschewski from comment #5) > Submission request to network is in > https://build.opensuse.org/request/show/1001418 On the way to factory in https://build.opensuse.org/request/show/1001456 Assigning back to security-team.
SUSE-SU-2022:3246-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1202022,1202023 CVE References: CVE-2019-25074,CVE-2022-37032 JIRA References: Sources used: openSUSE Leap 15.4 (src): frr-7.4-150300.4.7.1 openSUSE Leap 15.3 (src): frr-7.4-150300.4.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): frr-7.4-150300.4.7.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): frr-7.4-150300.4.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done, closing.
SUSE-SU-2024:3426-1: An update that solves seven vulnerabilities and has one security fix can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243426-1 Category: security (important) Bug References: 1069468, 1079798, 1079799, 1079800, 1079801, 1202023, 1229438, 1230866 CVE References: CVE-2017-15865, CVE-2018-5378, CVE-2018-5379, CVE-2018-5380, CVE-2018-5381, CVE-2022-37032, CVE-2024-44070 Maintenance Incident: [SUSE:Maintenance:35809](https://smelt.suse.de/incident/35809/) Sources used: SUSE Linux Enterprise High Performance Computing 12 SP5 (src): quagga-1.1.1-17.13.1 SUSE Linux Enterprise Server 12 SP5 (src): quagga-1.1.1-17.13.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): quagga-1.1.1-17.13.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): quagga-1.1.1-17.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:3433-1: An update that solves three vulnerabilities can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243433-1 Category: security (important) Bug References: 1202023, 1229438, 1230866 CVE References: CVE-2017-15865, CVE-2022-37032, CVE-2024-44070 Maintenance Incident: [SUSE:Maintenance:35810](https://smelt.suse.de/incident/35810/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): quagga-1.1.1-150000.4.6.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): quagga-1.1.1-150000.4.6.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): quagga-1.1.1-150000.4.6.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): quagga-1.1.1-150000.4.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): quagga-1.1.1-150000.4.6.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): quagga-1.1.1-150000.4.6.1 SUSE Enterprise Storage 7.1 (src): quagga-1.1.1-150000.4.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:3478-1: An update that solves three vulnerabilities can now be installed. URL: https://www.suse.com/support/update/announcement/2024/suse-su-20243478-1 Category: security (important) Bug References: 1202023, 1229438, 1230866 CVE References: CVE-2017-15865, CVE-2022-37032, CVE-2024-44070 Maintenance Incident: [SUSE:Maintenance:35806](https://smelt.suse.de/incident/35806/) Sources used: openSUSE Leap 15.4 (src): quagga-1.1.1-150400.12.8.1 openSUSE Leap 15.5 (src): quagga-1.1.1-150400.12.8.1 openSUSE Leap 15.6 (src): quagga-1.1.1-150400.12.8.1 Server Applications Module 15-SP5 (src): quagga-1.1.1-150400.12.8.1 Server Applications Module 15-SP6 (src): quagga-1.1.1-150400.12.8.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): quagga-1.1.1-150400.12.8.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): quagga-1.1.1-150400.12.8.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): quagga-1.1.1-150400.12.8.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): quagga-1.1.1-150400.12.8.1 SUSE Manager Proxy 4.3 (src): quagga-1.1.1-150400.12.8.1 SUSE Manager Retail Branch Server 4.3 (src): quagga-1.1.1-150400.12.8.1 SUSE Manager Server 4.3 (src): quagga-1.1.1-150400.12.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.