FRRouting NULL Pointer Dereference Vulnerability in OSPF Component Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in the FRRouting (FRR) OSPF component, specifically in versions 4.0 prior to 10.4.1. The issue arises in the 'show_vty_unknown_tlv' function within 'ospf_ext.c', where the OSPF daemon ('ospfd') can crash when processing malformed OSPF packets. This vulnerability can be exploited remotely, but requires the victim to have the 'debug ospf packet all send/recv detail' option enabled, creating a denial-of-service condition.

Impact

Exploiting this vulnerability causes the OSPF daemon to crash, disrupting OSPF routing processes and potentially leading to broader network instability.

Reproduction

To reproduce this vulnerability, first enable the 'debug ospf packet all send/recv detail' command in the OSPF configuration on a router running FRRouting 10.4.1 or earlier. Then, send an OSPF packet containing an opaque LSA from another router in the same OSPF area. The OSPF process on the router receiving the packet will crash, demonstrating the NULL pointer dereference issue.

Remediation

Users can upgrade to FRRouting versions 10.4.2 or later, where this vulnerability has been fixed.