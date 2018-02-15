Vulnerability Note VU#940439
Quagga bpgd is affected by multiple vulnerabilities
Overview
The Quagga BGP daemon bpgd prior to version 1.2.3 may be vulnerable to multiple issues that may result in denial of service, information disclosure, or remote code execution.
Description
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2018-5378 (Quagga-2018-0543)
The Quagga BGP daemon, bgpd, does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or it may crash.
Impact
An unauthenticated, remote attacker may be able to use crafted input to result in a crash of bgpd or even allow a remote attacker to gain control of an affected bgpd process.
Solution
Apply an update
Vendor Information (Learn More)
|Vendor
|Status
|Date Notified
|Date Updated
|Debian GNU/Linux
|Affected
|06 Feb 2018
|15 Feb 2018
|CoreOS
|Not Affected
|06 Feb 2018
|07 Feb 2018
|Alpine Linux
|Unknown
|15 Feb 2018
|15 Feb 2018
|Arch Linux
|Unknown
|06 Feb 2018
|06 Feb 2018
|Arista Networks, Inc.
|Unknown
|06 Feb 2018
|06 Feb 2018
|ASP Linux
|Unknown
|06 Feb 2018
|06 Feb 2018
|CentOS
|Unknown
|15 Feb 2018
|15 Feb 2018
|ENEA
|Unknown
|15 Feb 2018
|15 Feb 2018
|Fedora Project
|Unknown
|06 Feb 2018
|06 Feb 2018
|Geexbox
|Unknown
|06 Feb 2018
|06 Feb 2018
|Gentoo Linux
|Unknown
|06 Feb 2018
|06 Feb 2018
|HomeSeer
|Unknown
|15 Feb 2018
|15 Feb 2018
|Micro Focus
|Unknown
|08 Feb 2018
|08 Feb 2018
|MontaVista Software, Inc.
|Unknown
|15 Feb 2018
|15 Feb 2018
|Novell, Inc.
|Unknown
|06 Feb 2018
|06 Feb 2018
CVSS Metrics (Learn More)
|Group
|Score
|Vector
|Base
|9.3
|AV:N/AC:M/Au:N/C:C/I:C/A:C
|Temporal
|7.3
|E:POC/RL:OF/RC:C
|Environmental
|7.3
|CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
References
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://cwe.mitre.org/data/definitions/119.html
- http://cwe.mitre.org/data/definitions/125.html
- http://cwe.mitre.org/data/definitions/228.html
- http://cwe.mitre.org/data/definitions/415.html
Credit
The Quagga developers thank Alban Browaeys, Balaji Gurudoss, Borg, Scott Leggett and Debian QA Group, Eugene Bogomazov, Evgeny Uskov, Gerrie Roos, Mathieu Jadin, Pier Carlo Chiodi, and Rolf Eike Beer.
This document was written by Garret Wassermann.
Other Information
- CVE IDs: CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381
- Date Public: 15 Feb 2018
- Date First Published: 15 Feb 2018
- Date Last Updated: 15 Feb 2018
- Document Revision: 37
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.