osrg GoBGP Denial-of-Service Vulnerability in SRv6 L3 Service Component

A denial-of-service vulnerability has been identified in osrg GoBGP versions prior to 4.3.0. The issue arises in the SRv6 L3 Service component, specifically within the SRv6L3ServiceAttribute.DecodeFromBytes function in the file pkg/packet/bgp/prefix_sid.go. The vulnerability can be exploited remotely by manipulating the input data, which leads to an infinite loop, causing the BGP daemon to become unresponsive.

Impact

Exploitation of this vulnerability causes the BGP daemon to enter an infinite loop, making it unresponsive and disrupting BGP operations.

Reproduction

The vulnerability can be reproduced by sending a BGP message that includes an SRv6 L3 Service attribute with an unknown sub-TLV type. The default decoding process will incorrectly advance the loop iterator, creating an infinite loop. This can be tested by using a BGP client or tool that allows for the manipulation of BGP message attributes, such as a custom script or a BGP testing tool that supports SRv6 L3 Service attributes.

Remediation

Users are advised to upgrade to osrg GoBGP version 4.4.0 or later, where this vulnerability has been fixed.