PatchSiren cyber security CVE debrief

CVE-2023-38802 Siemens CVE debrief

CVE-2023-38802 is a high-severity denial-of-service vulnerability affecting FRRouting FRR versions 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2. The vulnerability was published on April 9, 2024, and last modified on May 13, 2025. A remote attacker can exploit this flaw by sending a crafted BGP update message containing a corrupted attribute 23 (Tunnel Encapsulation), causing the affected routing software to crash or become unresponsive. The vulnerability has been identified in Siemens RUGGEDCOM APE1808 devices when configured with Palo Alto Networks Virtual NGFW. Siemens has provided a vendor fix recommending upgrade to Palo Alto Networks Virtual NGFW V11.1.2-h3, with customers directed to contact customer support for patch and update information. The CVSS 3.1 score of 7.5 reflects network attack vector, low attack complexity, no required privileges or user interaction, and high availability impact. Organizations operating affected FRRouting or Pica8 PICOS implementations, particularly in industrial control environments using Siemens RUGGEDCOM APE1808, should prioritize patching and implement network segmentation to limit BGP exposure to untrusted peers.

Vendor: Siemens
Product: RUGGEDCOM APE1808
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2025-05-13
Advisory published: 2024-04-09
Advisory updated: 2025-05-13

Who should care

Network engineers and architects operating BGP infrastructure with FRRouting or Pica8 PICOS; security teams managing industrial control networks with Siemens RUGGEDCOM APE1808 devices; telecommunications and service providers using affected routing platforms for VPN or tunneling services; critical infrastructure operators relying on BGP for external connectivity; and organizations with BGP peering relationships that may receive untrusted or partially trusted routing updates.

Technical summary

The vulnerability exists in the processing of BGP Path Attribute 23 (Tunnel Encapsulation). A malformed or corrupted Tunnel Encapsulation attribute in a BGP UPDATE message triggers a denial-of-service condition in affected FRRouting and Pica8 PICOS implementations. The attack requires no authentication and can be executed remotely over the network. The vulnerability specifically affects BGP speakers that accept and process the Tunnel Encapsulation extended community attribute, which is used for signaling tunnel encapsulation types in BGP-based VPN deployments. Successful exploitation results in loss of availability for the routing daemon, potentially disrupting network connectivity and routing table convergence in affected deployments.

Defensive priority

high

Recommended defensive actions

Upgrade Palo Alto Networks Virtual NGFW to version V11.1.2-h3 on affected Siemens RUGGEDCOM APE1808 devices by contacting customer support for patch and update information
Implement network segmentation to restrict BGP peering to trusted neighbors only
Monitor BGP session stability and investigate unexpected session resets or daemon crashes
Review and validate BGP update filtering policies to drop malformed attributes before processing
Apply principle of least privilege to BGP peering sessions and disable unnecessary BGP features
Consider implementing BGP session authentication (TCP MD5 or BGP TTL security) to reduce attack surface from unauthenticated sources

Evidence notes

Vulnerability description sourced from CISA CSAF advisory ICSA-24-102-04. Vendor fix information and affected product details confirmed through Siemens security advisory SSA-455250 as referenced in source. CVSS vector and remediation details extracted from sourceItem metadata. Timeline dates reflect CVE record publication (2024-04-09) and most recent modification (2025-05-13) per sourceItem revision history.

Official resources

public