CVE-2023-46753: 
Rocky Linux vulnerability analysis and mitigation

An issue was discovered in FRRouting FRR through version 9.0.1, identified as CVE-2023-46753. The vulnerability allows a crash to occur when processing a crafted BGP UPDATE message without mandatory attributes, specifically when the message contains only an unknown transit attribute (NVD, Debian).

The vulnerability has a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue stems from insufficient validation of BGP UPDATE message attributes, where the system only checks if the attribute flag is set without verifying the length of path attributes. This vulnerability is particularly exploitable when the graceful-restart capability is received (NVD, GitHub Patch).

When successfully exploited, this vulnerability results in a crash of the BGP daemon, affecting the availability of the routing service. The impact is limited to availability with no direct effect on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in various distributions and versions. Ubuntu has released fixes across multiple versions including 24.04 LTS (8.4.4-1.1ubuntu2), 23.10 (8.4.4-1.1ubuntu1.1), and 22.04 LTS (8.1-1ubuntu1.7). Debian has also provided fixes in their security updates (Ubuntu, Debian).