FRRouting FRR Improper Access Control Vulnerability in EVPN Type-2 Route Handler

A vulnerability exists in FRRouting (FRR) versions through 10.5.1, specifically within the BGP daemon's EVPN Type-2 Route Handler. The issue arises in the 'process_type2_route' function of 'bgpd/bgp_evpn.c', where improper input validation allows for access control vulnerabilities. This flaw can be exploited remotely by authenticated attackers who are legitimate BGP peers with L2VPN EVPN enabled. The vulnerability stems from an inconsistent validation between the NLRI length-related fields, 'psize' and 'ipaddr_len'. While each field is individually checked, the implementation fails to ensure they are semantically aligned, enabling crafted EVPN Type-2 routes to bypass validation and disrupt EVPN routing information, potentially causing VNI label poisoning and incorrect tenant-to-VNI mapping.

Impact

Exploitation can lead to corrupted EVPN routing information, causing incorrect extraction or installation of label-related metadata. In VXLAN/EVPN deployments, this could result in VNI label poisoning, propagation of corrupted EVPN routes, and unintended forwarding behavior across isolation boundaries, creating risks of traffic leakage, tenant segmentation failure, routing instability, or broader control-plane integrity issues.

Reproduction

To reproduce this vulnerability, an authenticated remote attacker must establish a BGP session with EVPN address-family support. Once the session is active, the attacker can advertise a specially crafted EVPN Type-2 route that exploits the validation inconsistency between 'psize' and 'ipaddr_len'. This crafted route can then be processed by the BGP daemon, leading to the described impacts on EVPN routing information and VNI label management.

Remediation

Users are advised to update to FRRouting FRR version 10.5.2 or later, where this vulnerability has been patched.