{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/gobgp/v4-4.4.0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["gobgp/v4 (4.4.0)"],"_cs_severities":["medium"],"_cs_tags":["bgp","denial-of-service","networking"],"_cs_type":"advisory","_cs_vendors":["osrg"],"content_html":"\u003cp\u003eGoBGP version 4.4.0 is susceptible to a denial-of-service (DoS) vulnerability that can be exploited by unauthenticated remote BGP peers. This flaw arises from improper handling of malformed BGP UPDATE messages, specifically those containing inconsistent attribute lengths. When a GoBGP server receives such a message, it incorrectly transitions to a \u0026ldquo;withdraw\u0026rdquo; action, leading to a nil pointer dereference in the \u003ccode\u003eAdjRib.Update\u003c/code\u003e function. This dereference causes a fatal panic, crashing the entire GoBGP process and resulting in a complete loss of BGP service availability. This vulnerability allows an attacker to disrupt network routing and potentially cause significant network outages.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote BGP peer establishes a BGP connection with the vulnerable GoBGP server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP UPDATE message with inconsistent attribute lengths.\u003c/li\u003e\n\u003cli\u003eThe crafted UPDATE message is sent to the GoBGP server over the established BGP session.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandleUpdate\u003c/code\u003e function in \u003ccode\u003epkg/server/peer.go\u003c/code\u003e processes the received message.\u003c/li\u003e\n\u003cli\u003eDue to the malformed attributes, the message is treated as a withdrawal.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAdjRib.Update\u003c/code\u003e function in \u003ccode\u003einternal/pkg/table/adj.go\u003c/code\u003e is called.\u003c/li\u003e\n\u003cli\u003eAt line 127 of \u003ccode\u003eadj.go\u003c/code\u003e, the code attempts to access a member of a nil pointer, causing a panic.\u003c/li\u003e\n\u003cli\u003eThe GoBGP process crashes, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a complete denial of BGP service, as the GoBGP process crashes. This can disrupt network routing, potentially leading to significant network outages and impacting any services relying on BGP. The vulnerability affects GoBGP version 4.4.0. While the exact number of affected installations is unknown, any network relying on a vulnerable GoBGP instance is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of GoBGP that addresses CVE-2026-42285.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect GoBGP Crash via Nil Pointer Dereference\u0026rdquo; to detect exploitation attempts in real-time based on log messages.\u003c/li\u003e\n\u003cli\u003eMonitor BGP sessions from IP 192.168.31.195, as this address was involved in the proof-of-concept exploit.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Malformed BGP Update Messages\u0026rdquo; to identify potentially malicious BGP UPDATE messages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"/briefs/2024-01-gobgp-dos/","summary":"GoBGP version 4.4.0 is vulnerable to a remote denial-of-service attack where a malformed BGP UPDATE message triggers a nil pointer dereference, crashing the GoBGP process.","title":"GoBGP Remote Denial of Service via Malformed BGP Update Message","url":"https://feed.craftedsignal.io/briefs/2024-01-gobgp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Gobgp/V4 (4.4.0)","version":"https://jsonfeed.org/version/1.1"}