ID

VAR-200704-0182

CVE

CVE-2007-1995

TITLE

Quagga BGPD UPDATE Message Remote Denial Of Service Vulnerability

DESCRIPTION

bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read. (DoS) There is a vulnerability that becomes a condition.Crafted by a third party UPDATE Service disruption by sending a message (DoS) It may be in a state. Quagga is prone to a remote denial-of-service vulnerability because it fails to handle a malformed multi-protocol message. A remote attacker can exploit this issue by submitting a maliciously crafted message to the application. Successful exploits will cause the Quagga 'bgpd' daemon to abort, denying further service to legitimate users. Quagga 0.99.6 and prior versions (0.99 branch) as well as 0.98.6 and prior versions (0.98 branch) are vulnerable. =========================================================== Ubuntu Security Notice USN-461-1 May 17, 2007 quagga vulnerability CVE-2007-1995 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: quagga 0.99.2-1ubuntu3.1 Ubuntu 6.10: quagga 0.99.4-4ubuntu1.1 Ubuntu 7.04: quagga 0.99.6-2ubuntu3.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that Quagga did not correctly verify length information sent from configured peers. Remote malicious peers could send a specially crafted UPDATE message which would cause bgpd to abort, leading to a denial of service. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1995 _______________________________________________________________________ Updated Packages: Corporate 4.0: becaf6ded7283c9c6021b225cdf4610a corporate/4.0/i586/libquagga0-0.99.3-1.1.20060mlcs4.i586.rpm 71834dab731b65e7a35a9fdd9732a889 corporate/4.0/i586/libquagga0-devel-0.99.3-1.1.20060mlcs4.i586.rpm cfbeb9e74071ffac712e5162f2613ac9 corporate/4.0/i586/quagga-0.99.3-1.1.20060mlcs4.i586.rpm 7cde7b9c156b90b8dcc960bfc1e32cbe corporate/4.0/i586/quagga-contrib-0.99.3-1.1.20060mlcs4.i586.rpm 725cf792adafc90d58a34178e4066771 corporate/4.0/SRPMS/quagga-0.99.3-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 92d1d28d06eb4eaff483882a41a5d31b corporate/4.0/x86_64/lib64quagga0-0.99.3-1.1.20060mlcs4.x86_64.rpm ccfa5e5665423f19b0c36ff13db53164 corporate/4.0/x86_64/lib64quagga0-devel-0.99.3-1.1.20060mlcs4.x86_64.rpm a9af90e11e1b9f0485718d4762b1f8fd corporate/4.0/x86_64/quagga-0.99.3-1.1.20060mlcs4.x86_64.rpm 596581e4051d2e02ae2b476e3aa83f74 corporate/4.0/x86_64/quagga-contrib-0.99.3-1.1.20060mlcs4.x86_64.rpm 725cf792adafc90d58a34178e4066771 corporate/4.0/SRPMS/quagga-0.99.3-1.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGONI7mqjQ0CJFipgRAhmXAKCr1iOp0SaSv1WdD2EsWJjqR3ZF4ACfZ2FP 56VBScMSKds3eiA29koFg5w= =IS+w -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200705-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Quagga: Denial of Service Date: May 02, 2007 Bugs: #174206 ID: 200705-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been discovered in Quagga allowing for a Denial of Service. Background ========== Quagga is a free routing daemon, supporting RIP, OSPF and BGP protocols. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/quagga < 0.98.6-r2 >= 0.98.6-r2 Description =========== The Quagga development team reported a vulnerability in the BGP routing deamon when processing NLRI attributes inside UPDATE messages. Impact ====== A malicious peer inside a BGP area could send a specially crafted packet to a Quagga instance, possibly resulting in a crash of the Quagga daemon. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-0.98.6-r2" References ========== [ 1 ] CVE-2007-1995 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1995 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200705-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2007 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 1293-1 security@debian.org http://www.debian.org/security/ Martin Schulze May 17th, 2007 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : quagga Vulnerability : out of boundary read Problem type : remote Debian-specific: no CVE ID : CVE-2007-1995 BugTraq ID : 23417 Debian Bug : 418323 Paul Jakma discovered that specially crafted UPDATE messages can trigger an out of boundary read that can result in a system crash of quagga, the BGP/OSPF/RIP routing daemon. For the old stable distribution (sarge) this problem has been fixed in version 0.98.3-7.4. For the stable distribution (etch) this problem has been fixed in version 0.99.5-5etch2. For the unstable distribution (sid) this problem has been fixed in version 0.99.6-5. We recommend that you upgrade your quagga package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4.dsc Size/MD5 checksum: 1017 668014e3d7bde772eac63fc2809538c8 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4.diff.gz Size/MD5 checksum: 45503 ce79e6a7a23c57551af673936957b520 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3.orig.tar.gz Size/MD5 checksum: 2118348 68be5e911e4d604c0f5959338263356e Architecture independent components: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.98.3-7.4_all.deb Size/MD5 checksum: 488726 9176bb6c2d44c83c6b0235fe2d787c24 Alpha architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_alpha.deb Size/MD5 checksum: 1613754 754e865cef5379625e6ac77fc03a1175 AMD64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_amd64.deb Size/MD5 checksum: 1413316 5aa1b7a4d2a9a262d89e6ff050b61140 ARM architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_arm.deb Size/MD5 checksum: 1290700 071171571b6afb1937cfe6d535a571dc HP Precision architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_hppa.deb Size/MD5 checksum: 1447856 c4137c1ad75efb58c080a96aa9c0699e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_i386.deb Size/MD5 checksum: 1193528 52640ebe894244e34b98b43150028c01 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_ia64.deb Size/MD5 checksum: 1829130 27191432085ad6ebff2160874aa06826 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_m68k.deb Size/MD5 checksum: 1160000 c2f78f24982732c9804de4297c4c2672 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_mips.deb Size/MD5 checksum: 1353040 6ceb137f2908165b4d1420f56b8be65b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_mipsel.deb Size/MD5 checksum: 1355964 a1685523eede48afe70b1861a6b38038 PowerPC architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_powerpc.deb Size/MD5 checksum: 1317034 2d80694cf741a3ed85617dbf4e7b4776 IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_s390.deb Size/MD5 checksum: 1401630 458f1f892e6ed57677971334589ecc45 Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.98.3-7.4_sparc.deb Size/MD5 checksum: 1287812 e92233bfc759de15910da4241e27ebd1 Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2.dsc Size/MD5 checksum: 762 667f0d6ae4984aa499d912b12d9146b9 http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2.diff.gz Size/MD5 checksum: 33122 ac7da5cf6b143338aef2b8c6da3b2b3a http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5.orig.tar.gz Size/MD5 checksum: 2311140 3f9c71aca6faa22a889e2f84ecfd0076 Architecture independent components: http://security.debian.org/pool/updates/main/q/quagga/quagga-doc_0.99.5-5etch2_all.deb Size/MD5 checksum: 719938 01bcc6c571f620c957e1ea2b5cacf9f6 Alpha architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_alpha.deb Size/MD5 checksum: 1681634 1f05ece668256dce58fe303801eb80b9 AMD64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_amd64.deb Size/MD5 checksum: 1415656 6e88dd4c6f56eba87c752369590cf486 ARM architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_arm.deb Size/MD5 checksum: 1347388 c33f7ed4aed2e8f846975ace01cee97c HP Precision architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_hppa.deb Size/MD5 checksum: 1531224 22ce4a12ec77dae40ab0d064a7caeb9b Intel IA-32 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_i386.deb Size/MD5 checksum: 1246878 d358565ab725d69a366115ff6ef277c3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_ia64.deb Size/MD5 checksum: 1955390 9327ea2cf8778b8cca45d1ccea8092f7 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_mips.deb Size/MD5 checksum: 1455582 a415e82fd838b9ce0f5badcdf4278770 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_mipsel.deb Size/MD5 checksum: 1460546 af16aa91c13c54fa84769e3e30d521f0 PowerPC architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_powerpc.deb Size/MD5 checksum: 1379422 e7f92220a37daac49ddb3b0da124b9f7 IBM S/390 architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_s390.deb Size/MD5 checksum: 1482556 87509f6d9afef8940e0b35055f590ed8 Sun Sparc architecture: http://security.debian.org/pool/updates/main/q/quagga/quagga_0.99.5-5etch2_sparc.deb Size/MD5 checksum: 1347908 db02aaf16c68dfac81a509b8145ca001 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGTA8+W5ql+IAeqTIRApJFAJ0Zzdee8GfPVGWPY4woGKs4K1av8ACdH6xD EQiEXt1eQaZqI//EEe6eEcI= =NJHp -----END PGP SIGNATURE----- . References: [0] http://www.quagga.net/ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1995 ____________________________________________________________________________ Primary Package Name: quagga Primary Package Home: http://openpkg.org/go/package/quagga Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID quagga-0.99.5-E1.0.1 OpenPKG Community CURRENT quagga-0.99.7-20070430 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Paul Jakma

SOURCES

LAST UPDATE DATE

2022-05-29T21:15:25.945000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE