Quagga remote vulnerability

From: Paul Jakma (paul_at_clubi.ie)
Date: 11/14/03

  • Next message: Adam Laurie: "Re: Serious flaws in bluetooth security lead to disclosure of personal data"
    Date: Fri, 14 Nov 2003 13:16:37 +0000 (GMT)
    To: Quagga Users <quagga-users@lists.quagga.net>
    
    

    Summary:
    --------

    All versions of Quagga (and also GNU Zebra, from which Quagga was
    forked) are vulnerable to a remotely triggerable denial of
    service.

    Scope of vulnerability:
    -----------------------

    All versions of GNU Zebra and all versions of Quagga /prior/ to
    0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
    hostile parties.

    Impact:
    -------

    Affected daemons can be made to crash by sending a malformed telnet
    command.

    Description:
    ------------

    The vty layer, when processing the telnet sub-negotiation ends
    marker, SE, does not check whether there is sub-negotiation in
    progress, and hence will attempt to dereference a (typically) NULL
    pointer causing the daemon to crash.

    Workaround:
    -----------

    Restrict access to daemon's telnet CLI, by either configuring each
    daemon's vty with an appropriate access-class and access-list, or by
    some external firewalling application.

    Alternatively, disable external vty access completely by removing the
    vty password (and restarting) or passing the '-P 0' parameters to the
    daemon.

    Solution:
    -----------

    Quagga version 0.96.4 contains a fix for this bug. Alternatively, one
    can manually apply the fix to whichever sources one uses currently.
    (See the RedHat bugzilla entry referenced below for the fix).

    Credits:
    --------

    Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
    and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for
    fixing the bug.

    References:
    ----------

    RedHat Advisory RHSA-2003:307-09,
    http://rhn.redhat.com/errata/RHSA-2003-307.html

    RedHat Bugzilla entry 107140,
    http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140

    CAN-2003-0795

    Footnote:
    ---------

    The RedHat Advisory references a second vulnerability in GNU Zebra
    and Quagga, regarding the zebra daemon accepting netlink messages
    from any user. This vulnerability will be dealt with as soon as
    possible.

    regards,

    -- 
    Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
    	warning: do not ever send email to spam@dishone.st
    Fortune:
    Factorials were someone's attempt to make math LOOK exciting.
    

  • Next message: Adam Laurie: "Re: Serious flaws in bluetooth security lead to disclosure of personal data"

    Relevant Pages