Zebra Network and Zebrad Denial-of-Service Vulnerability via Address Message Deserialization

A denial-of-service vulnerability has been identified in the Zebra network and Zebrad applications, both prior to their respective patched versions. This issue arises from the deserialization of 'addr' and 'addrv2' messages, which contain vectors of addresses. Zebra incorrectly allowed these messages to be deserialized up to a maximum length derived from a 2 MiB message size limit, leading to excessive memory allocation. Although Zebra eventually checked the message length against the specification limit of 1,000 messages, this verification occurred only after the memory for the larger vectors had already been allocated. As a result, an attacker could exploit this vulnerability by sending multiple such messages over different connections, causing the Zebra node to run out of memory and crash.

Impact

Exploitation of this vulnerability leads to a crash of the Zebra node, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send 'addr' or 'addrv2' messages containing a large number of entries to a Zebra node, preferably over multiple connections. The node will allocate memory for the excessive entries, and after processing the messages, it will check the length against the 1,000 message limit. However, by that time, the memory exhaustion will have already occurred, causing the node to crash.

Remediation

Users should upgrade to Zebra version 4.3.1 or later. There are no known workarounds for this issue.