https://feed.craftedsignal.io/products/gobgp/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.A remote Denial of Service vulnerability exists in GoBGP that can be triggered by a malformed BGP UPDATE message, specifically when handling 4-byte AS attributes. The vulnerability, identified as CVE-2026-41643, affects GoBGP version 4.2.0 and earlier. The attack involves sending a crafted BGP UPDATE message that causes an index-out-of-range panic in the UpdatePathAttrs4ByteAs function within internal/pkg/table/message.go. This panic results in the GoBGP process crashing, leading to a loss of routing capabilities. A malicious peer or a malformed route propagated through a transit provider can exploit this vulnerability to consistently crash the BGP daemon. This can disrupt network operations.

Attack Chain

1. Attacker establishes a BGP peering session with a vulnerable GoBGP instance (version 4.2.0 or earlier).
2. The attacker crafts a malicious BGP UPDATE message. This message contains both an AS_PATH (Type 2) and an AS4_PATH (Type 17) attribute.
3. The crafted message orders the attributes such that the AS4_PATH appears before the AS_PATH.
4. The AS4_PATH attribute is intentionally malformed to trigger a validation error.
5. The GoBGP process attempts to remove the invalid AS4_PATH attribute from the msg.PathAttributes slice in the UpdatePathAttrs4ByteAs function.
6. Removing the AS4_PATH causes subsequent attributes in the slice to shift left, altering their indices.
7. The function attempts to access the AS_PATH attribute using a stale index (asAttrPos) calculated before the slice modification.
8. Due to the index shift, accessing msg.PathAttributes[asAttrPos] results in an out-of-bounds access, triggering a panic and crashing the GoBGP process, causing a denial of service.

Impact

The vulnerability leads to a remote Denial of Service (DoS) condition. Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers is vulnerable. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon. This results in a complete loss of routing capabilities, disrupting network services, and causing potential outages.

Recommendation

• Upgrade GoBGP to a patched version that addresses CVE-2026-41643.
• Monitor BGP UPDATE messages for malformed AS4_PATH attributes (Type 17) appearing before AS_PATH attributes (Type 2) using a network intrusion detection system.
• Implement rate limiting on BGP UPDATE messages from untrusted peers to mitigate the impact of a DoS attack.

]]>mediumadvisorydenial of servicebgpnetworkhttps://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/A denial-of-service vulnerability exists in GoBGP version 4.3.0 where a malformed BGP UPDATE message containing an unrecognized Well-known Path Attribute triggers a nil pointer dereference, causing the BGP daemon to crash.GoBGP version 4.3.0 is susceptible to a denial-of-service (DoS) vulnerability triggered by malformed BGP UPDATE messages. Specifically, when GoBGP receives an UPDATE message containing an unrecognized Path Attribute marked as “Well-known” (Optional bit set to 0), the daemon fails to properly handle the error. This leads to a nil pointer dereference, resulting in a panic and subsequent crash of the entire GoBGP process. This vulnerability, disclosed in GHSA-7235-89m6-f4px, can be exploited by any BGP peer, internal or external, sending such a malformed message. This poses a significant risk to network stability as it can disrupt BGP routing and connectivity.

Attack Chain

1. An attacker establishes a standard BGP session with the targeted GoBGP instance, completing the OPEN/KEEPALIVE exchange.
2. The attacker crafts a malicious BGP UPDATE message.
3. This UPDATE message includes a Path Attribute with the Optional bit set to 0 (Well-known).
4. The Path Attribute Type Code is set to an unrecognized value (e.g., 0xEE or 0xFF).
5. The parsing logic in GoBGP identifies the unrecognized Well-known attribute.
6. The recvMessageloop function in pkg/server/fsm.go fails to halt execution after identifying the malformed attribute.
7. The code attempts to dereference a nil pointer associated with the invalid message body.
8. This results in a “panic: runtime error: invalid memory address or nil pointer dereference”, causing the GoBGP daemon to crash, disrupting BGP routing.

Impact

The vulnerability allows a remote attacker to cause a denial-of-service condition on GoBGP deployments. A single malformed UPDATE message is sufficient to trigger the crash, affecting all GoBGP instances peering with potentially malicious or compromised BGP speakers. This can lead to routing instability, network outages, and potential data plane disruptions. The affected version, 4.3.0, may be widely deployed in various network environments, making it a significant concern for network operators.

Recommendation

• Deploy the Sigma rule Detect GoBGP Malformed BGP Update to identify crafted BGP UPDATE messages containing unrecognized Well-known Path Attributes via network traffic analysis.
• Monitor BGP peer sessions for unexpected disconnects or restarts, which may indicate exploitation of this vulnerability.
• Consider implementing BGP route filtering and validation mechanisms to mitigate the impact of malformed or malicious UPDATE messages.

]]>mediumadvisorygobgpdosbgprouting