FRRouting NULL Pointer Dereference Vulnerability in OSPF Component Allowing Denial-of-Service

A NULL pointer dereference vulnerability has been identified in the FRRouting (FRR) OSPF component, specifically in versions 4.0 prior to 10.4.1. The issue arises in the 'show_vty_ext_pref_pref_sid' function within 'ospf_ext.c'. When the OSPF daemon is configured to debug packet details, it can be tricked into accessing a NULL pointer via a crafted OSPF packet, causing the process to crash. This vulnerability allows for a remote denial-of-service attack, but only if the victim has debugging enabled.

Impact

Exploitation of this vulnerability leads to a crash of the OSPF daemon, causing a denial-of-service condition on the affected system.

Reproduction

To reproduce this vulnerability, set up a network topology with two routers using Mininet. Configure both routers to enable OSPF and the 'debug ospf packet all send/recv detail' option. Once this is set, send an OSPF packet containing an opaque LSA from one router to the other. The receiving router's OSPF process will crash, demonstrating the vulnerability.

Remediation

Users can update to FRRouting versions 10.4.2 or later, where this vulnerability has been fixed.