Researchers at Forescout Vedere Labs have discovered multiple vulnerabilities in the software implementation of the Border Gateway Protocol (BGP) within version 8.4 of FRRouting, a leading open-source implementation of the protocol. These vulnerabilities can be exploited to cause a denial of service (DoS) condition on vulnerable BGP peers, dropping all BGP sessions and routing tables, and rendering the peer unresponsive. BGP implementations are widely adopted for traffic routing in large data centers and BGP extensions, such as MP-BGP, or for MPLS L3 VPNs. The FRRouting implementation is currently used in the networking solutions of several major vendors, including nVidia Cumulus, DENT, and SONiC.
The researchers stated, “Attackers may leverage any of the three new vulnerabilities to achieve a DoS on a vulnerable BGP peer, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive for several seconds. The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets.” The discovery of these vulnerabilities is part of a broader analysis of seven popular Border Gateway Protocol implementations, including three open-source (FRRouting, BIRD, OpenBGPd) and four closed source (Mikrotik RouterOS, Juniper JunOS, Cisco IOS, Arista EOS) implementations.
The flaws discovered by Forescout include CVE-2022-40302 and CVE-2022-43681, which can be triggered before FRRouting validates BGP Identifier and ASN fields. Although FRRouting only allows connections between configured peers by default, threat actors can spoof a valid IP address of a trusted peer in the attack scenario described in the advisory. Additionally, threat actors can take advantage of misconfigurations or attempt to compromise a legitimate peer by exploiting other vulnerabilities. It is estimated that there are over 330,000 hosts with BGP enabled on the internet, with approximately 1,000 of them replying to unsolicited BGP OPEN messages. A majority of these Border Gateway Protocol hosts are located in China (nearly 100,000), the US (50,000), and the UK (16,000). The researchers found over 1,000 hosts running FRRouting, but not all of them have Border Gateway Protocol enabled.
The FRRouting team has addressed these vulnerabilities with the release of new versions. The researchers concluded, “Our research shows that modern BGP implementations still have low-hanging fruit that can be abused by attackers.” Forescout has also released a Python-based open-source fuzzer tool that enables organizations to test the security of their Border Gateway Protocol suites and discover new vulnerabilities in BGP implementations.