search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Quagga contains multiple vulnerabilities

Vulnerability Note VU#551715

Original Release Date: 2012-03-23 | Last Revised: 2012-03-28

Overview

Quagga, a routing software suite, contains multiple vulnerabilities that result in a denial-of-service condition.

Description

Quagga 0.99.20 and previous versions are susceptible to various denial-of-service conditions. The Quagga advisories state the following:

CVE-2012-0249: Error in OSPF parsing LS-Update messages Can Cause a Crash of Quagga ospfd
The ospfd implementation of OSPF in Quagga allows a remote attacker (on a local network segment with OSPF enabled) to cause a denial of service (daemon aborts due to an assert) with a malformed OSPF LS-Update message.

Program Impacted: Quagga (ospfd)

Description:
OSPFv2 implementation in Quagga version 0.99.20 and before does not perform a proper length check for a received LS-Update OSPF packet. A received packet, which has actually less bytes, than it is declared in its header, causes a buffer overflow, which immediately leads to a crash of OSPF protocol process and subsequent disruption of IPv4 routing.

Like many other OSPF cases, exploiting this vulnerability requires an ability to form an OSPF adjacency with the attacked OSPF router and initiate a database exchange process with it. Usual OSPF security precautions (including MD5 authentication) may lower the risk of such event. Upgrading to a patched version of Quagga is recommended regardless of any other measures taken.

CVE-2012-0250: Error in OSPF parsing Network-LSA messages Can Cause a Crash of Quagga ospfd
The ospfd implementation of OSPF in Quagga allows a remote attacker (on a local network segment with OSPF enabled) to cause a denial of service (daemon crash) with a malformed OSPF Network-LSA message.

Program Impacted: Quagga (ospfd)

Description:
OSPFv2 implementation in Quagga version 0.99.20 and before does not perform a proper length check of the Network-LSA structures contained in an LS-Update OSPF packet. When an otherwise correct LS-Update OSPF packet contains a Network-LSA structure, which has its "Length" header field set to value bigger than the actual number of bytes in the buffer, a buffer overflow happens. This immediately leads to a crash of OSPF protocol process and subsequent disruption of IPv4 routing.

Like many other OSPF cases, exploiting this vulnerability requires an ability to form an OSPF adjacency with the attacked OSPF router and initiate a database exchange process with it. Usual OSPF security precautions (including MD5 authentication) may lower the risk of such event. Upgrading to a patched version of Quagga is recommended regardless of any other measures taken.

CVE-2012-0255: Error in BGP OPEN Message parsing Can Cause a Crash of Quagga bgpd
The bgpd implementation of BGP in Quagga up to (and including) 0.99.20 allows remote attackers to cause a denial of service (daemon aborts due to an assert) via BGP Open message with an invalid AS4 capability.

Program Impacted: Quagga (bgpd)

Description:
BGP implementation in Quagga version 0.99.20 and before contains an error in processing malformed AS4 capability in the BGP OPEN message which leads to a abort (daemon aborts due to an assert) of the BGP protocol process and subsequent disruption of IP routing. When an OPEN with a malformed AS4 capability message is detected, the code fails to flush the message buffers for the peer. When the peer next connects and sends a message, the code will attempt to parse the stale, half-consumed data in the message buffer as it were a fresh BGP message. This leads to an assert and exit of the BGP daemon in the BGP OPEN message parsing code.

The vulnerability is not restricted to BGP neighbors with 4-byte AS but can only be done from any configured peers (or sources spoofing the IP of a configured peer). The potential exists for this condition to be intentionally triggered, resulting in effective denial of service by crashing the BGPd. Usual BGP security precautions (including BGP MD5 authentication) may lower the risk of such event.

Impact

A remote attacker may be able to cause a denial-of-service condition.

Solution

Apply an Update

Upgrade to Quagga 0.99.20.1 either through the GIT master version or by applying a patch.

For CVE-2012-0255, the following workaround exists: Shutdown sessions to any peers you can not trust, or where you can not ensure the security of the control-plane.

Vendor Information

551715
 

Quagga Affected

Notified:  March 07, 2012 Updated: March 21, 2012

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Not Affected

Notified:  March 13, 2012 Updated: March 15, 2012

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Not Affected

Notified:  March 13, 2012 Updated: March 28, 2012

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Unknown

Notified:  March 20, 2012 Updated: March 20, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified:  March 20, 2012 Updated: March 20, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Unknown

Notified:  March 20, 2012 Updated: March 20, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SUSE Linux Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified:  March 13, 2012 Updated: March 13, 2012

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 27 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 6.1 AV:A/AC:L/Au:N/C:N/I:N/A:C
Temporal 4.8 E:POC/RL:OF/RC:C
Environmental 4.8 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Martin Winter at OpenSourceRouting.org for reporting these vulnerabilities, MU Dynamics for their sponsorship of the protocol fuzzer which uncovered these issues, and Denis Ovsienko & Paul Jakma for fixing the issues.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2012-0249, CVE-2012-0250, CVE-2012-0255
Severity Metric: 1.50
Date Public: 2012-03-23
Date First Published: 2012-03-23
Date Last Updated: 2012-03-28 12:09 UTC
Document Revision: 43

Sponsored by CISA.