CVE-2024-55553
Published: 06 January 2025
Summary
CVE-2024-55553 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Frrouting (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in FRR's RTR update handling by identifying, prioritizing, and applying patches to fixed versions such as 10.3.
Implements denial-of-service protections such as rate limiting or throttling of RTR updates to prevent resource exhaustion from oversized or frequent validations.
Validates incoming RTR updates for size limits to avoid exceeding socket buffers and triggering full RIB re-validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable DoS via application logic abuse in RPKI/RTR handling, matching application exploitation sub-technique.
NVD Description
In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received via RTR exceeds the internal socket's buffer size, default 4K on most OSes. An attacker can use this to trigger…
more
re-parsing of the RIB for FRR routers using RTR by causing more than this number of updates during an update interval (usually 30 minutes). Additionally, this effect regularly occurs organically. Furthermore, an attacker can use this to trigger route validation continuously. Given that routers with large full tables may need more than 30 minutes to fully re-validate the table, continuous issuance/withdrawal of large numbers of ROA may be used to impact the route handling performance of all FRR instances using RPKI globally. Additionally, the re-validation will cause heightened BMP traffic to ingestors. Fixed Versions: 10.0.3, 10.1.2, 10.2.1, >= 10.3.
Deeper analysisAI
CVE-2024-55553 is a denial-of-service vulnerability (CVSS 3.1 score of 7.5; AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H; CWE-404) in FRRouting (FRR), an open-source IP routing protocol suite. It affects versions from 6.0 onward up to but excluding 10.3, specifically FRR routers using RTR (Router Trustworthiness via RPKI) for route origin validation. The issue occurs when the total size of an RTR update exceeds the internal socket buffer size, defaulting to 4KB on most operating systems, causing FRR to re-validate all routes in the Routing Information Base (RIB). This re-validation can also happen organically due to large updates.
An unauthenticated network-accessible attacker can exploit this by issuing more than 4KB of RTR updates during a typical 30-minute update interval, forcing repeated full RIB re-parsing. By continuously issuing or withdrawing large numbers of Route Origin Authorization (ROA) objects, the attacker can sustain the effect, preventing completion of re-validation on routers with large full tables that require over 30 minutes to process. This leads to degraded route handling performance across all global FRR instances using RPKI and increased BMP (BGP Monitoring Protocol) traffic to monitoring ingestors.
FRRouting's security advisory (https://frrouting.org/security/cve-2024-55553/) recommends upgrading to fixed versions 10.0.3, 10.1.2, 10.2.1, or 10.3 and later; the upstream patch is at https://github.com/FRRouting/frr/pull/17586/commits/b0800bfdf04b4fcf48504737ebfe4ba7f05268d3. Debian LTS backports are detailed in https://lists.debian.org/debian-lts-announce/2025/01/msg00023.html.
Details
- CWE(s)