An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3478-1 advisory.

    - CVE-2017-15865: sensitive information disclosed when malformed BGP UPDATE packets are processed.
    (bsc#1230866)
    - CVE-2024-44070: crash when parsing Tunnel Encap attribute due to no length check. (bsc#1229438)
    - CVE-2022-37032: out-of-bounds read when parsing a BGP capability message due to incorrect size check.
    (bsc#1202023)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3433-1 advisory.

    - CVE-2017-15865: sensitive information disclosed when malformed BGP UPDATE packets are processed.
    (bsc#1230866)
    - CVE-2024-44070: crash when parsing Tunnel Encap attribute due to no length check. (bsc#1229438)
    - CVE-2022-37032: out-of-bounds read when parsing a BGP capability message due to incorrect size check.
    (bsc#1202023)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 802961eb-7a89-11ef-bdd7-a0423f48a938 advisory.

    cve@mitre.org reports:
    An issue was discovered in FRRouting (FRR). bgp_attr_encap             in bgpd/bgp_attr.c does not check the actual remaining stream length             before taking the TLV value.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3426-1 advisory.

    - CVE-2017-15865: sensitive information disclosed when malformed BGP UPDATE packets are processed.
    (bsc#1230866)
    - CVE-2024-44070: crash when parsing Tunnel Encap attribute due to no length check. (bsc#1229438)
    - CVE-2022-37032: out-of-bounds read when parsing a BGP capability message due to incorrect size check.
    (bsc#1202023)

    Bug fixes:
    - References to /var/adm/fillup-templates replaced with new %_fillupdir macro. (bsc#1069468)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-2fff2b9a18 advisory.

    Fix for CVE-2024-44070

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-1b36a483cc advisory.

    Fix for CVE-2024-44070

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-7017-1 advisory.

    Iggy Frankovic discovered that Quagga incorrectly handled certain BGP messages. A remote attacker could     possibly use this issue to cause Quagga to crash, resulting in a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-7016-1 advisory.

    Iggy Frankovic discovered that FRR incorrectly handled certain BGP messages. A remote attacker could     possibly use this issue to cause FRR to crash, resulting in a denial of service.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of frr installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-44070 advisory.

  - An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check     the actual remaining stream length before taking the TLV value. (CVE-2024-44070)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:3108-1 advisory.

    - CVE-2024-44070: Fixed missing stream length check before TLV value is taken in bgp_attr_encap     (bsc#1229438)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:3090-1 advisory.

    - CVE-2024-44070: Fixed missing stream length check before TLV value is taken in bgp_attr_encap     (bsc#1229438)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3865 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-3865-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                         Tobias Frost     September 03, 2024                            https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : frr     Version        : 7.5.1-1.1+deb11u3     CVE ID         : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128                      CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407                      CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235                      CVE-2024-31948 CVE-2024-31949 CVE-2024-44070     Debian Bug     : 1008010 1016978 1055852 1079649

    Several vulnerabilities have been found in frr, the FRRouting suite of     internet protocols. An attacker could craft packages to potentially trigger     those effects: buffer overflows with the possibility to gain remote code     execution, buffer overreads, crashes or trick the software to enter an     infinite loop.

    CVE-2022-26125

        Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to         wrong checks on the input packet length in isisd/isis_tlvs.c.

    CVE-2022-26126

        Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to         the use of strdup with a non-zero-terminated binary string in         isis_nb_notifications.c.

    CVE-2022-26127

        A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to         missing a check on the input packet length in the babel_packet_examin         function in babeld/message.c.

    CVE-2022-26128

        A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to         a wrong check on the input packet length in the babel_packet_examin         function in babeld/message.c.

    CVE-2022-26129

        Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to         wrong checks on the subtlv length in the functions, parse_hello_subtlv,         parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

    CVE-2022-37035

        An issue was discovered in bgpd in FRRouting (FRR) 8.3. In         bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,         there is a possible use-after-free due to a race condition. This could         lead to Remote Code Execution or Information Disclosure by sending         crafted BGP packets. User interaction is not needed for exploitation.

    CVE-2023-38406

        bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri         length of zero, aka a flowspec overflow.

    CVE-2023-38407

        bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond         the end of the stream during labeled unicast parsing.

    CVE-2023-46752

        An issue was discovered in FRRouting FRR through 9.0.1. It mishandles         malformed MP_REACH_NLRI data, leading to a crash.

    CVE-2023-46753

        An issue was discovered in FRRouting FRR through 9.0.1. A crash can         occur for a crafted BGP UPDATE message without mandatory attributes,         e.g., one with only an unknown transit attribute.

    CVE-2023-47234

        An issue was discovered in bgpd in FRRouting (FRR) 8.3. In         bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c,         there is a possible use-after-free due to a race condition. This could         lead to Remote Code Execution or Information Disclosure by sending         crafted BGP packets. User interaction is not needed for exploitation.

    CVE-2023-47235

        An issue was discovered in FRRouting FRR through 9.0.1. A crash can         occur when a malformed BGP UPDATE message with an EOR is processed,         because the presence of EOR does not lead to a treat-as-withdraw         outcome.

    CVE-2024-31948

        In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID         attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

    CVE-2024-31949

        In FRRouting (FRR) through 9.1, an infinite loop can occur when         receiving a MP/GR capability as a dynamic capability because malformed         data results in a pointer not advancing.

    CVE-2024-44070

        An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap         in bgpd/bgp_attr.c does not check the actual remaining stream length         before taking the TLV value.

    For Debian 11 bullseye, these problems have been fixed in version     7.5.1-1.1+deb11u3.

    We recommend that you upgrade your frr packages.

    For the detailed security status of frr please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/frr

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
207885	SUSE SLES15 / openSUSE 15 Security Update : quagga (SUSE-SU-2024:3478-1)	Nessus	SuSE Local Security Checks	critical
207784	SUSE SLES15 Security Update : quagga (SUSE-SU-2024:3433-1)	Nessus	SuSE Local Security Checks	critical
207737	FreeBSD : frr - BGP (802961eb-7a89-11ef-bdd7-a0423f48a938)	Nessus	FreeBSD Local Security Checks	high
207715	SUSE SLES12 Security Update : quagga (SUSE-SU-2024:3426-1)	Nessus	SuSE Local Security Checks	critical
207497	Fedora 39 : frr (2024-2fff2b9a18)	Nessus	Fedora Local Security Checks	high
207430	Fedora 40 : frr (2024-1b36a483cc)	Nessus	Fedora Local Security Checks	high
207361	Ubuntu 20.04 LTS : Quagga vulnerability (USN-7017-1)	Nessus	Ubuntu Local Security Checks	high
207360	Ubuntu 22.04 LTS / 24.04 LTS : FRR vulnerability (USN-7016-1)	Nessus	Ubuntu Local Security Checks	high
207014	CBL Mariner 2.0 Security Update: frr (CVE-2024-44070)	Nessus	MarinerOS Local Security Checks	high
206579	SUSE SLES15 / openSUSE 15 Security Update : frr (SUSE-SU-2024:3108-1)	Nessus	SuSE Local Security Checks	high
206573	SUSE SLES15 Security Update : frr (SUSE-SU-2024:3090-1)	Nessus	SuSE Local Security Checks	high
206448	Debian dla-3865 : frr - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2024-44070

high

Tenable Plugins

critical

critical

high

critical

high

high

high

high

high

high

high

critical