Vulnerability Note VU#962587

Quagga BGP OPEN denial of service vulnerability

Original Release date: 04 Jun 2012 | Last revised: 11 Jun 2012

Overview

Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition.

Description

CVE-2012-1820: Quagga version 0.99.20.1 and before contains a bug in BGP OPEN message handling.

Program Impacted: bgpd: fix DoS in bgp_capability_orf()

Description:
If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.

An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call.

The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV.

For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current "Number of ORFs" field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV.

Impact

A denial-of-service condition can be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected25 Apr 201226 Apr 2012
InfobloxAffected25 Apr 201226 Apr 2012
Openwall GNU/*/LinuxNot Affected25 Apr 201226 Apr 2012
Conectiva Inc.Unknown25 Apr 201225 Apr 2012
Cray Inc.Unknown25 Apr 201225 Apr 2012
Engarde Secure LinuxUnknown25 Apr 201225 Apr 2012
Fedora ProjectUnknown25 Apr 201225 Apr 2012
Gentoo LinuxUnknown25 Apr 201225 Apr 2012
GoogleUnknown25 Apr 201225 Apr 2012
Hewlett-Packard CompanyUnknown25 Apr 201225 Apr 2012
IBM Corporation (zseries)Unknown25 Apr 201225 Apr 2012
IBM eServerUnknown25 Apr 201225 Apr 2012
Mandriva S. A.Unknown25 Apr 201225 Apr 2012
MontaVista Software, Inc.Unknown25 Apr 201225 Apr 2012
Novell, Inc.Unknown25 Apr 201225 Apr 2012
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 5.5 AV:A/AC:L/Au:S/C:N/I:N/A:C
Temporal 4.5 E:F/RL:OF/RC:C
Environmental 5.0 CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Denis Ovsienko for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2012-1820
  • Date Public: 03 Jun 2012
  • Date First Published: 04 Jun 2012
  • Date Last Updated: 11 Jun 2012
  • Document Revision: 12

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.