GoBGP NEXT_HOP Attribute Length Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability exists in GoBGP version 4.2.0, where a remote attacker can cause the application to panic by sending a malformed BGP UPDATE message. The issue arises when the NEXT_HOP path attribute has an invalid length of less than 4 bytes, which is not compliant with the BGP specification. This malformed attribute is partially processed, leading to misaligned parsing and out-of-bounds access during validation, causing GoBGP to crash.

Impact

Exploitation of this vulnerability causes GoBGP to panic and terminate the BGP process, disrupting any active BGP sessions.

Reproduction

To reproduce this vulnerability, establish an eBGP session with GoBGP 4.2.0. Then, send a BGP UPDATE message that includes a NEXT_HOP attribute with a length of 0, 1, 2, or 3 bytes. GoBGP will panic during the validation of the UPDATE message, specifically when processing the malformed NEXT_HOP attribute.

Remediation

Users can upgrade to GoBGP version 4.3.0 or later, where this vulnerability has been fixed.