search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Quagga BGP OPEN denial of service vulnerability

Vulnerability Note VU#962587

Original Release Date: 2012-06-04 | Last Revised: 2012-06-11

Overview

Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition.

Description

CVE-2012-1820: Quagga version 0.99.20.1 and before contains a bug in BGP OPEN message handling.

Program Impacted: bgpd: fix DoS in bgp_capability_orf()

Description:

If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.

An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call.

The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV.


For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current "Number of ORFs" field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV.

Impact

A denial-of-service condition can be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information

962587
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  April 25, 2012 Updated:  April 26, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox

Notified:  April 25, 2012 Updated:  April 26, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  April 25, 2012 Updated:  April 26, 2012

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  April 25, 2012 Updated:  April 25, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vyatta

Notified:  May 11, 2012 Updated:  May 11, 2012

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 5.5 AV:A/AC:L/Au:S/C:N/I:N/A:C
Temporal 4.5 E:F/RL:OF/RC:C
Environmental 5 CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Denis Ovsienko for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-1820
Date Public: 2012-06-03
Date First Published: 2012-06-04
Date Last Updated: 2012-06-11 14:04 UTC
Document Revision: 12

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.