{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gobgp/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GoBGP"],"_cs_severities":["medium"],"_cs_tags":["denial of service","bgp","network"],"_cs_type":"advisory","_cs_vendors":["osrg"],"content_html":"\u003cp\u003eA remote Denial of Service vulnerability exists in GoBGP that can be triggered by a malformed BGP UPDATE message, specifically when handling 4-byte AS attributes. The vulnerability, identified as CVE-2026-41643, affects GoBGP version 4.2.0 and earlier. The attack involves sending a crafted BGP UPDATE message that causes an index-out-of-range panic in the \u003ccode\u003eUpdatePathAttrs4ByteAs\u003c/code\u003e function within \u003ccode\u003einternal/pkg/table/message.go\u003c/code\u003e. This panic results in the GoBGP process crashing, leading to a loss of routing capabilities. A malicious peer or a malformed route propagated through a transit provider can exploit this vulnerability to consistently crash the BGP daemon. This can disrupt network operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a BGP peering session with a vulnerable GoBGP instance (version 4.2.0 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP UPDATE message. This message contains both an AS_PATH (Type 2) and an AS4_PATH (Type 17) attribute.\u003c/li\u003e\n\u003cli\u003eThe crafted message orders the attributes such that the AS4_PATH appears before the AS_PATH.\u003c/li\u003e\n\u003cli\u003eThe AS4_PATH attribute is intentionally malformed to trigger a validation error.\u003c/li\u003e\n\u003cli\u003eThe GoBGP process attempts to remove the invalid AS4_PATH attribute from the \u003ccode\u003emsg.PathAttributes\u003c/code\u003e slice in the \u003ccode\u003eUpdatePathAttrs4ByteAs\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eRemoving the AS4_PATH causes subsequent attributes in the slice to shift left, altering their indices.\u003c/li\u003e\n\u003cli\u003eThe function attempts to access the AS_PATH attribute using a stale index (asAttrPos) calculated before the slice modification.\u003c/li\u003e\n\u003cli\u003eDue to the index shift, accessing \u003ccode\u003emsg.PathAttributes[asAttrPos]\u003c/code\u003e results in an out-of-bounds access, triggering a panic and crashing the GoBGP process, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability leads to a remote Denial of Service (DoS) condition. Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers is vulnerable. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon. This results in a complete loss of routing capabilities, disrupting network services, and causing potential outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GoBGP to a patched version that addresses CVE-2026-41643.\u003c/li\u003e\n\u003cli\u003eMonitor BGP UPDATE messages for malformed AS4_PATH attributes (Type 17) appearing before AS_PATH attributes (Type 2) using a network intrusion detection system.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on BGP UPDATE messages from untrusted peers to mitigate the impact of a DoS attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-gobgp-dos/","summary":"A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.","title":"GoBGP Remote Denial of Service via Malformed BGP UPDATE Message","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GoBGP"],"_cs_severities":["medium"],"_cs_tags":["gobgp","dos","bgp","routing"],"_cs_type":"advisory","_cs_vendors":["GoBGP"],"content_html":"\u003cp\u003eGoBGP version 4.3.0 is susceptible to a denial-of-service (DoS) vulnerability triggered by malformed BGP UPDATE messages. Specifically, when GoBGP receives an UPDATE message containing an unrecognized Path Attribute marked as \u0026ldquo;Well-known\u0026rdquo; (Optional bit set to 0), the daemon fails to properly handle the error. This leads to a nil pointer dereference, resulting in a panic and subsequent crash of the entire GoBGP process. This vulnerability, disclosed in GHSA-7235-89m6-f4px, can be exploited by any BGP peer, internal or external, sending such a malformed message. This poses a significant risk to network stability as it can disrupt BGP routing and connectivity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a standard BGP session with the targeted GoBGP instance, completing the OPEN/KEEPALIVE exchange.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP UPDATE message.\u003c/li\u003e\n\u003cli\u003eThis UPDATE message includes a Path Attribute with the Optional bit set to 0 (Well-known).\u003c/li\u003e\n\u003cli\u003eThe Path Attribute Type Code is set to an unrecognized value (e.g., 0xEE or 0xFF).\u003c/li\u003e\n\u003cli\u003eThe parsing logic in GoBGP identifies the unrecognized Well-known attribute.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erecvMessageloop\u003c/code\u003e function in \u003ccode\u003epkg/server/fsm.go\u003c/code\u003e fails to halt execution after identifying the malformed attribute.\u003c/li\u003e\n\u003cli\u003eThe code attempts to dereference a nil pointer associated with the invalid message body.\u003c/li\u003e\n\u003cli\u003eThis results in a \u0026ldquo;panic: runtime error: invalid memory address or nil pointer dereference\u0026rdquo;, causing the GoBGP daemon to crash, disrupting BGP routing.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows a remote attacker to cause a denial-of-service condition on GoBGP deployments. A single malformed UPDATE message is sufficient to trigger the crash, affecting all GoBGP instances peering with potentially malicious or compromised BGP speakers. This can lead to routing instability, network outages, and potential data plane disruptions. The affected version, 4.3.0, may be widely deployed in various network environments, making it a significant concern for network operators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect GoBGP Malformed BGP Update\u003c/code\u003e to identify crafted BGP UPDATE messages containing unrecognized Well-known Path Attributes via network traffic analysis.\u003c/li\u003e\n\u003cli\u003eMonitor BGP peer sessions for unexpected disconnects or restarts, which may indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eConsider implementing BGP route filtering and validation mechanisms to mitigate the impact of malformed or malicious UPDATE messages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-gobgp-dos/","summary":"A denial-of-service vulnerability exists in GoBGP version 4.3.0 where a malformed BGP UPDATE message containing an unrecognized Well-known Path Attribute triggers a nil pointer dereference, causing the BGP daemon to crash.","title":"GoBGP Remote Denial of Service via Malformed BGP Update Message","url":"https://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — GoBGP","version":"https://jsonfeed.org/version/1.1"}