Detections
Analytics

Debian dla-3865 : frr - security update

critical Nessus Plugin ID 206448

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3865 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3865-1 [email protected] https://www.debian.org/lts/security/ Tobias Frost September 03, 2024 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : frr Version : 7.5.1-1.1+deb11u3 CVE ID : CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949 CVE-2024-44070 Debian Bug : 1008010 1016978 1055852 1079649

 Several vulnerabilities have been found in frr, the FRRouting suite of internet protocols. An attacker could craft packages to potentially trigger those effects: buffer overflows with the possibility to gain remote code execution, buffer overreads, crashes or trick the software to enter an infinite loop.

 CVE-2022-26125

 Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the input packet length in isisd/isis_tlvs.c.

 CVE-2022-26126

 Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to the use of strdup with a non-zero-terminated binary string in isis_nb_notifications.c.

 CVE-2022-26127

 A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to missing a check on the input packet length in the babel_packet_examin function in babeld/message.c.

 CVE-2022-26128

 A buffer overflow vulnerability exists in FRRouting through 8.1.0 due to a wrong check on the input packet length in the babel_packet_examin function in babeld/message.c.

 CVE-2022-26129

 Buffer overflow vulnerabilities exist in FRRouting through 8.1.0 due to wrong checks on the subtlv length in the functions, parse_hello_subtlv, parse_ihu_subtlv, and parse_update_subtlv in babeld/message.c.

 CVE-2022-37035

 An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.

 CVE-2023-38406

 bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a flowspec overflow.

 CVE-2023-38407

 bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond the end of the stream during labeled unicast parsing.

 CVE-2023-46752

 An issue was discovered in FRRouting FRR through 9.0.1. It mishandles malformed MP_REACH_NLRI data, leading to a crash.

 CVE-2023-46753

 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur for a crafted BGP UPDATE message without mandatory attributes, e.g., one with only an unknown transit attribute.

 CVE-2023-47234

 An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_send_with_data() and bgp_process_packet() in bgp_packet.c, there is a possible use-after-free due to a race condition. This could lead to Remote Code Execution or Information Disclosure by sending crafted BGP packets. User interaction is not needed for exploitation.

 CVE-2023-47235

 An issue was discovered in FRRouting FRR through 9.0.1. A crash can occur when a malformed BGP UPDATE message with an EOR is processed, because the presence of EOR does not lead to a treat-as-withdraw outcome.

 CVE-2024-31948

 In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash.

 CVE-2024-31949

 In FRRouting (FRR) through 9.1, an infinite loop can occur when receiving a MP/GR capability as a dynamic capability because malformed data results in a pointer not advancing.

 CVE-2024-44070

 An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value.

 For Debian 11 bullseye, these problems have been fixed in version 7.5.1-1.1+deb11u3.

 We recommend that you upgrade your frr packages.

 For the detailed security status of frr please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/frr

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the frr packages.

See Also

https://security-tracker.debian.org/tracker/source-package/frr

https://security-tracker.debian.org/tracker/CVE-2022-26125

https://security-tracker.debian.org/tracker/CVE-2022-26126

https://security-tracker.debian.org/tracker/CVE-2022-26127

https://security-tracker.debian.org/tracker/CVE-2022-26128

https://security-tracker.debian.org/tracker/CVE-2022-26129

https://security-tracker.debian.org/tracker/CVE-2022-37035

https://security-tracker.debian.org/tracker/CVE-2023-38406

https://security-tracker.debian.org/tracker/CVE-2023-38407

https://security-tracker.debian.org/tracker/CVE-2023-46752

https://security-tracker.debian.org/tracker/CVE-2023-46753

https://security-tracker.debian.org/tracker/CVE-2023-47234

https://security-tracker.debian.org/tracker/CVE-2023-47235

https://security-tracker.debian.org/tracker/CVE-2024-31948

https://security-tracker.debian.org/tracker/CVE-2024-31949

https://security-tracker.debian.org/tracker/CVE-2024-44070

https://packages.debian.org/source/bullseye/frr

Plugin Details

Severity: Critical

ID: 206448

File Name: debian_DLA-3865.nasl

Version: 1.1

Type: local

Agent: unix

Published: 9/3/2024

Updated: 9/3/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-26129

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-38406

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:frr-pythontools, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:frr-snmp, p-cpe:/a:debian:debian_linux:frr, p-cpe:/a:debian:debian_linux:frr-doc, p-cpe:/a:debian:debian_linux:frr-rpki-rtrlib

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/3/2024

Vulnerability Publication Date: 3/3/2022

Reference Information

CVE: CVE-2022-26125, CVE-2022-26126, CVE-2022-26127, CVE-2022-26128, CVE-2022-26129, CVE-2022-37035, CVE-2023-38406, CVE-2023-38407, CVE-2023-46752, CVE-2023-46753, CVE-2023-47234, CVE-2023-47235, CVE-2024-31948, CVE-2024-31949, CVE-2024-44070