Three BGP message parsing weak spots found in FRRouting software

In our new vulnerability report, Forescout Vedere Labs discusses an often-overlooked aspect of Border Gateway Protocol (BGP) security: vulnerabilities in its software implementations.

More specifically, vulnerabilities in BGP message parsing found in the popular FRRouting implementation that could be exploited by attackers to achieve a denial of service (DoS) condition on vulnerable BGP peers. Some software suites implementing BGP are nowadays used by major networking vendors and relied upon by large parts of the internet. One recent BGP incident shows that it might take only a malformed packet to cause a large disruption.

BGP is found in unexpected places beyond ISPs. For instance, it is commonly used internally to route the traffic in large data centers and BGP extensions, like MP-BGP, are widely deployed for MPLS L3 VPNs. Firms should not rely only on their ISPs to handle BGP security.

We analyzed seven BGP implementations and found three vulnerabilities in one open-source implementation, FRRouting, which could be exploited to achieve DoS on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive.

BGP implementations still have low-hanging fruits that can be abused by attackers. As part of this research, we are releasing an open-source tool for firms to test the security of the BGP suites they use internally and for researchers to find vulnerabilities in BGP implementations.

What is BGP and why continue to analyze it?

Border Gateway Protocol (BGP) is the main routing protocol for the internet. It allows individual autonomous systems (ASes), which are blocks of IPs leased to an organization for a certain time by a registrar, to exchange routing and reachability information.

When BGP fails, an AS may become unreachable because others cannot route their packets there and the unreachable AS becomes cut off from the rest of the internet. When BGP is abused by threat actors, network traffic may be rerouted through unintended locations.

There are both accidental and intentional disruptions of routing on the internet, since BGP was not initially designed with security in mind. Original BGP weaknesses that may lead to major incidents and internet outages have been known for a long time. For example, in a 2018 incident, traffic for Google IP addresses was routed through China Telecom for over an hour.

In July 2022, the Russian ISP Rostelecom announced routes for parts of Apple’s network, resulting in connections to Apple’s services being redirected through Russia for over 12 hours.

There has been a lot of research on the (in)security of the BGP protocol itself but the various projects that implement Border Gateway Protocol (BGP) have not received the same level of attention in the security community. Various implementations may be vulnerable, leaving Border Gateway Protocol (BGP) peers wide open for attacks. The most recent systematic work we found about security testing of BGP implementations was published 20 years ago.

New vulnerabilities in BGP implementations

We analyzed 7 popular BGP implementations, three open source (FRRouting, BIRD, OpenBGPd) and four closed source (Mikrotik RouterOS, Juniper JunOS, Cisco IOS, Arista EOS), using both manual analysis and fuzzing. We found three new vulnerabilities in the latest release of Free Range Routing (FRRouting) at the time – version 8.4, released on Nov 7, 2022. The vulnerabilities are summarized in the table below and detailed in the report.

CVE ID Description CVSSv3.1 Potential


CVE-2022-40302 Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option. 6.5 DoS
CVE-2022-40318 Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option. This is a different issue from CVE-2022-40302. 6.5 DoS
CVE-2022-43681 Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet (or the option length word, in case of OPEN with extended option lengths message). 6.5 DoS

The issues were reported to the FRRouting team and fixed in the following versions:

  • CVE-2022-40302 and CVE-2022-40318 here.
  • CVE-2022-43681 here.

Impact analysis of FRRouting vulnerabilitites

FRRouting was forked from another open source project called Quagga in 2016 by developers from several commercial organizations and is used in the networking solutions of several vendors, including nVidia Cumulus, which in turn is adopted by large firms like PayPal, Yahoo, Qualcomm and the Dutch National Police; DENT, which is mainly supported by Amazon; and SONiC, which is supported by Microsoft and used in some Juniper routers.

Attackers may leverage any of the three new vulnerabilities to achieve a DoS on a vulnerable BGP peer, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive for several seconds. The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets. Two of these issues (CVE-2022-40302 and CVE-2022-43681) can be triggered before FRRouting validates BGP Identifier and ASN fields.

While FRRouting only allows connections between configured peers by default (OPEN messages from hosts not present in the config files not accepted), in this case attackers only need to spoof a valid IP address of a trusted peer. Another way for the attacker is to take advantage of misconfigurations or compromise a peer by exploiting other vulnerabilities. Similar DoS vulnerabilities in FRRouting have caused notable disruptions, and must be fixed.

There are over 330,000 hosts with BGP enabled on the internet and close to 1,000 of those reply to unsolicited BGP OPEN messages. Most of the BGP hosts are in China (close to 100,000), US (50,000) and UK (16,000). We also see over 200,000 hosts running Quagga and over 1,000 running FRRouting (not all of them with BGP enabled). China comes on top with over 170,000 hosts followed by the U.S. with 15,000 and Japan with close to 4,000.

H2: BGP security open-source testing tool

We are releasing an open-source tool for organizations to test the security of the BGP suites they use internally and for researchers to find new vulnerabilities in BGP implementations.

The tool has several scripts available out of the box with proofs of concept for vulnerabilities we found and test cases for the BGP OPEN, UPDATE, ROTE REFRESH and NOTIFICATION messages. The proofs of concept can be run against a device to test if it is vulnerable, while the test cases can be run against new implementations to search for new vulnerabilities.

To support these test cases, the tool provides a crash monitor that checks whether the latest test case has crashed the target and generates a proof-of-concept exploit out of the latest failed test case. The monitor also attempts to restart the target if its process dies, which is convenient for running long campaigns. Currently, the monitor supports FRRouting, BIRD and OpenBGPD, but it can be extended to other targets as well.

Conclusion and mitigation recommendations

After reviewing and testing the selected implementations, we can assume that they are robust against malformed packets. This is not surprising, considering that these are mature and actively developed projects with many contributors. Nevertheless, we were surprised by our findings in the FRRouting project: it is interesting to see evidence that BGP message parsing issues can still be found in major projects with a good history of security patches.

The fact that FRRouting provides wide support for fuzzing its own code suggests that a few “shallow” bugs may still slip through the cracks. Since Border Gateway Protocol is such an integral part of the internet, there are several guidelines on how to secure it, such as those from the Internet Society, RIPE NCC, NIST and the NSA. However, those guidelines tend to focus on the known issues with Border Gateway Protocol insecurity and how to deploy RPKI.

Also, because of the supply chain effect we have seen in past research, vulnerabilities on open-source components tend to spread widely. The new issues CVE-2022-40302 and CVE-2022-40318, for instance, clearly show how the same vulnerable code may be present in multiple places of a code base and serve as a root cause for several vulnerabilities.

Similar code could be present in other projects and affect several products using FRRouting or one of the networking operating systems that rely on it, like Cumulus, SONiC and DENT.

To mitigate the risk of vulnerable BGP implementations, like the FRRouting issues we found, the best recommendation is to patch network infrastructure devices as often as possible. To do so, you must first have an updated asset inventory that keeps track of all the networking devices in your firm and the versions of software running on them. This is much easier to achieve with software that provides granular visibility for every device in the network.

Vedere Labs is the cybersecurity research arm of Forescout Technologies. This team of global experts focuses on threat and vulnerability research that is shared with the broader cybersecurity community, including cybersecurity agencies and other researchers, software organizations, and device manufacturers.