FRRouting Integer Overflow Vulnerability in OSPF Traffic Engineering and Segment Routing TLV Parsers

An integer overflow vulnerability has been identified in FRRouting versions prior to 10.5.3. This vulnerability exists in seven OSPF Traffic Engineering and Segment Routing TLV parser functions. The issue arises because a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro. This truncation causes the loop termination condition to fail, allowing pointer advancement to continue unchecked. Exploitation of this vulnerability can lead to out-of-bounds memory reads, causing all affected routers in the OSPF area or autonomous system to crash. The vulnerability can be triggered by attackers with an established OSPF adjacency who send a crafted LS Update packet containing a malicious Type 10 or Type 11 Opaque LSA.

Impact

Exploitation of this vulnerability causes out-of-bounds memory reads, leading to a crash of the affected router. However, this vulnerability could potentially be exploited to execute arbitrary code, as suggested by the source of this information.

Reproduction

To reproduce this vulnerability, send a crafted LS Update packet with a malicious Type 10 or Type 11 Opaque LSA to a router running a vulnerable version of FRRouting. Ensure that an OSPF adjacency is established with the target router, as this vulnerability can only be exploited in the context of an active OSPF session.

Remediation

Users can upgrade to FRRouting version 10.5.3 or later to address this vulnerability.