osrg GoBGP BGP OPEN Message Handler Improper Access Control Vulnerability

A vulnerability exists in osrg GoBGP versions through 4.3.0, specifically within the BGP OPEN message handler. The issue arises in the 'DecodeFromBytes' function of 'pkg/packet/bgp/bgp.go', where the 'domainNameLen' parameter is not properly enforced. This flaw allows for improper access control, as the parser reads all remaining bytes in the capability buffer as the domain name, potentially including unrelated trailing data. The vulnerability can be exploited remotely, although it requires a high level of complexity.

Impact

Exploitation of this vulnerability could lead to incorrect parsing of domain names in BGP OPEN messages, causing inconsistencies in capability decoding and potentially misleading log or debug information.

Reproduction

To reproduce this vulnerability, send a crafted BGP OPEN message that includes an FQDN capability. Manipulate the 'domainNameLen' parameter to exceed the actual length of the domain name, allowing additional trailing data or padding bytes to be interpreted as part of the domain name. This can be done using a BGP client or library that allows for the customization of OPEN message parameters.

Remediation

Users are advised to update to GoBGP version 4.3.1 or later, where this vulnerability has been patched.