[UNIX] Zebra and Quagga Remote DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 11/16/03

Next message: SecuriTeam: "[EXPL] Microsoft FrontPage Server Extensions Buffer Overflow (fp30reg.dll)"

Previous message: SecuriTeam: "[NEWS] Planet Network Switch Default Administrative User"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 16 Nov 2003 18:35:24 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Zebra and Quagga Remote DoS
------------------------------------------------------------------------

SUMMARY

A remote DoS condition exists in Zebra and/or Quagga when layer 3 access
is possible to the telnet management port (2601/tcp or 2605/bgpd). The
vulnerability can be recreated by sending a telnet option delimiter with
no actual option data. This will cause a bad memory call and SIGSEV.

DETAILS

Vulnerable systems:
* GNU Zebra and all versions of Quagga prior to 0.96.4

Workaround:
Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by some
external firewalling application.

Alternatively, disable external vty access completely by removing the vty
password (and restarting) or passing the '-P 0' parameters to the daemon.

Steps to Reproduce:
1. Run Zebra on a machine.
2. From another machine run: printf '\xff\xf0\xff\xf0\xff\xf0' | nc
<zebra-host> 2601
3. Zebra dies.

Solution:
Quagga version 0.96.4 contains a fix for this bug. Alternatively, one can
manually apply the fix to whichever sources one uses currently. See the
RedHat Bugzilla entry referenced for the fix
<http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140>
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jonny@prophecy.net.nz> Jonny
Robertson and <mailto:paul@clubi.ie> Paul Jakma.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[EXPL] Microsoft FrontPage Server Extensions Buffer Overflow (fp30reg.dll)"

Previous message: SecuriTeam: "[NEWS] Planet Network Switch Default Administrative User"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Adobe ActiveX Allows Local File Discovery
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the attacker can call the LoadFile ... Knowing the existence of a local file an attacker can gain knowledge as to ... Fix Information: ...
(Securiteam)
[NEWS] GnuPG External HKP Interface Format String
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GnuPG is a RFC2440 compliant application. ... For 1.2 branch fix available in CVS, ...
(Securiteam)