FRRouting NULL Pointer Dereference Vulnerability in OSPF Opaque LSA Handling Causes Denial-of-Service

A NULL pointer dereference vulnerability has been identified in FRRouting (FRR) versions 2.0 through 10.4.1. The issue arises in the OSPF daemon when the debugging option 'debug ospf packet all send/recv detail' is enabled. Under these conditions, if an attacker sends a malformed Link State Advertisement (LSA) containing opaque data, it can trigger the vulnerability. The OSPF process crashes, leading to a Denial-of-Service (DoS) condition.

Impact

Exploiting this vulnerability causes the OSPF daemon to crash, disrupting OSPF routing processes and potentially leading to broader network connectivity issues.

Reproduction

To reproduce this vulnerability, first enable the 'debug ospf packet all send/recv detail' command in the OSPF configuration on the affected router. Then, send a packet containing an opaque LSA from another router in the same OSPF area. The OSPF process on the router receiving the packet will crash, demonstrating the vulnerability.

Remediation

Users can disable the OSPF debugging option 'debug ospf packet all send/recv detail' to prevent this vulnerability from being exploited.