CVE-2023-38802: 
Alma Linux vulnerability analysis and mitigation

CVE-2023-38802 is a denial-of-service (DoS) vulnerability discovered in BGP software implementations, specifically affecting FRRouting FRR versions 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2. The vulnerability was discovered by Ben Cartwright-Cox and disclosed in September 2023. The issue affects devices and appliances configured with BGP routing features enabled, allowing a remote attacker to cause session resets through an invalid BGP update with a corrupted attribute 23 (Tunnel Encapsulation) (Palo Alto Networks, NVD).

The vulnerability exists in the BGP implementation's handling of attribute 23 (Tunnel Encapsulation). When a corrupted version of this attribute is received, affected systems will incorrectly reset network sessions instead of properly handling the invalid data. The issue has been assigned a CVSS v3.1 base score of 7.5 HIGH, with attack vector being network-based (AV:N), low attack complexity (AC:L), requiring no privileges (PR:N), and no user interaction (UI:N) (NVD).

When exploited, this vulnerability can cause a denial-of-service condition by forcing BGP sessions to reset, potentially disrupting network connectivity. The impact is particularly severe for devices providing wider internet access, as session resets can result in network outages. The DoS condition can be persistent, as the session will reset again when reconnection is attempted if the malicious route is still present (Benjojo Blog).

The vulnerability has been fixed in various software versions including FRR 8.5.3 and PAN-OS versions 8.1.26, 9.0.17-h4, 9.1.16-h3, 10.1.11, 10.2.6, and 11.0.3. A temporary workaround involves inserting an unaffected BGP router configured to drop invalid BGP updates between the attacker-originated BGP update and affected devices. This prevents the invalid BGP update from reaching the vulnerable router (Palo Alto Networks, Debian Security).

The discovery sparked significant discussion in the network security community. The researcher who discovered the vulnerability, Ben Cartwright-Cox, noted poor vendor responses to the disclosure, with only OpenBSD's security team providing a rapid acknowledgment and patch. Several major ISPs, a large CDN, and two 'Tier 1' networks have applied configuration changes to prevent these issues from impacting their operations (Benjojo Blog).