ID

VAR-201802-1051

CVE

CVE-2018-5381

TITLE

Quagga bgpd is affected by multiple vulnerabilities

DESCRIPTION

The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service. The Quagga BGP daemon bgpd prior to version 1.2.3 may be vulnerable to multiple issues that may result in denial of service, information disclosure, or remote code execution. Quagga bgpd Contains several vulnerabilities: * Buffer overflow (CWE-119) - CVE-2018-5378 (Quagga-2018-0543) * Double memory release (CWE-415) - CVE-2018-5379 (Quagga-2018-1114) * Out of bounds read (CWE-125) - CVE-2018-5380 (Quagga-2018-1550) * Improper handling of incorrect syntactic constructs (CWE-228) - CVE-2018-5381 (Quagga-2018-1975) Detail is <a href="https://savannah.nongnu.org/forum/forum.php?forum_id=9095"target="blank"> Information provided by the developer </a> Please refer to.The expected impact depends on each vulnerability, but remote code execution, information leakage, service operation interruption by a remote third party (DoS) An attack could be made. Quagga is prone to multiple denial of service vulnerabilities. Attackers can exploit these issues to crash the affected application, denying service to legitimate users. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface). https://www.quagga.net/security/Quagga-2018-1975.txt For the oldstable distribution (jessie), these problems have been fixed in version 0.99.23.1-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 1.1.1-3+deb9u2. We recommend that you upgrade your quagga packages. For the detailed security status of quagga please refer to its security tracker page at: https://security-tracker.debian.org/tracker/quagga Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqGBaVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0RpyRAAhVpntFw+LSUUzL2/cx7m+s4fHijhOkU/AjKKmW4a9rAi0iJYW4HNv5BU cKfz6yhngFUzCa+Glhmiwzt77eAoeksJSvxkKio5CTqjV3OxCWbDPPz/iRRHcKvK MGhnqyShMCF8boQU0plmqNbfhnSWNAObbaI2fPmjLOU4A4jPY1T/fbzu4Sd3k5qY ETeHq9+HlVdGnyNEoYnoO0XQH56ueNHy3VlChJ0S2OPtFtoKXkjM/er+yG6413+G 3e90tcbm2xlitmrTyZm9K/Q08UWLJx510n1rxehaO1DTEz+bqSNezySOhyNb8sTA fuadDpgs2ozwgSmxyuWFj0RL3fKvgycw1ZeNiS5nUmRJTobrPlnjyX+A8FEJhPuI 9xyVa8j6wUeBVZdgd9b/EWLQ1Z9oDRiXmHRJeVOtz4JRNPP1KLtBcsPxFW9eCp83 9gFMqk/vMYQSpRqtQdnl5OawEpeurMtusBsnlEV5y9afiHU9jKB8N7RPwxCJgtjP /jmhS4lOvn3F5lNILahaL3lrk/b0EsECajBltbN9YVU0yabWWRWSMrJ3ujamhaXE aUQKmVj1alwDyg90vToiUftdr3R0hPPFuzA0BAK55SJVzjwJ2XInzItr+2y1tMPn dSpd32tzrxpDm86rvmRIiAJbj28n7QnX9I9BlKZqWq2fUUhTkNg= =Gy8j -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201804-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Quagga: Multiple vulnerabilities Date: April 22, 2018 Bugs: #647788 ID: 201804-17 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Quagga, the worst of which could allow remote attackers to execute arbitrary code. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Quagga users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/quagga-1.2.4" References ========== [ 1 ] CVE-2018-5378 https://nvd.nist.gov/vuln/detail/CVE-2018-5378 [ 2 ] CVE-2018-5379 https://nvd.nist.gov/vuln/detail/CVE-2018-5379 [ 3 ] CVE-2018-5380 https://nvd.nist.gov/vuln/detail/CVE-2018-5380 [ 4 ] CVE-2018-5381 https://nvd.nist.gov/vuln/detail/CVE-2018-5381 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201804-17 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-3573-1 February 16, 2018 quagga vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 17.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Quagga. Software Description: - quagga: BGP/OSPF/RIP routing daemon Details: It was discovered that a double-free vulnerability existed in the Quagga BGP daemon when processing certain forms of UPDATE message. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2018-5379) It was discovered that the Quagga BGP daemon did not properly bounds check the data sent with a NOTIFY to a peer. An attacker could use this to expose sensitive information or possibly cause a denial of service. This issue only affected Ubuntu 17.10. (CVE-2018-5378) It was discovered that a table overrun vulnerability existed in the Quagga BGP daemon. An attacker in control of a configured peer could use this to possibly expose sensitive information or possibly cause a denial of service. (CVE-2018-5381) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.10: quagga 1.1.1-3ubuntu0.2 quagga-bgpd 1.1.1-3ubuntu0.2 Ubuntu 16.04 LTS: quagga 0.99.24.1-2ubuntu1.4 Ubuntu 14.04 LTS: quagga 0.99.22.4-3ubuntu1.5 After a standard system update you need to restart Quagga to make all the necessary changes. References: https://www.ubuntu.com/usn/usn-3573-1 CVE-2018-5378, CVE-2018-5379, CVE-2018-5380, CVE-2018-5381 Package Information: https://launchpad.net/ubuntu/+source/quagga/1.1.1-3ubuntu0.2 https://launchpad.net/ubuntu/+source/quagga/0.99.24.1-2ubuntu1.4 https://launchpad.net/ubuntu/+source/quagga/0.99.22.4-3ubuntu1.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

resource management error

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Siemens reported these vulnerabilities to NCCIC.

SOURCES

LAST UPDATE DATE

2024-11-23T22:12:39.695000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE