Quagga remote vulnerability
From: Paul Jakma (paul_at_clubi.ie)
Date: Fri, 14 Nov 2003 13:16:37 +0000 (GMT) To: Quagga Users <firstname.lastname@example.org>
All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of
Scope of vulnerability:
All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
Affected daemons can be made to crash by sending a malformed telnet
The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.
Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.
Alternatively, disable external vty access completely by removing the
vty password (and restarting) or passing the '-P 0' parameters to the
Quagga version 0.96.4 contains a fix for this bug. Alternatively, one
can manually apply the fix to whichever sources one uses currently.
(See the RedHat bugzilla entry referenced below for the fix).
Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for
fixing the bug.
RedHat Advisory RHSA-2003:307-09,
RedHat Bugzilla entry 107140,
The RedHat Advisory references a second vulnerability in GNU Zebra
and Quagga, regarding the zebra daemon accepting netlink messages
from any user. This vulnerability will be dealt with as soon as
-- Paul Jakma email@example.com firstname.lastname@example.org Key ID: 64A2FF6A warning: do not ever send email to email@example.com Fortune: Factorials were someone's attempt to make math LOOK exciting.