http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442

openSUSE-SU-2016:0863

openSUSE-SU-2016:0888

http://nongnu.askapache.com//quagga/quagga-1.0.20160309.changelog.txt

RHSA-2017:0794

DSA-3532

VU#270232

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

84318

USN-2941-1

GLSA-201610-03

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Open Shortest Path First (OSPF) protocol     implementations may improperly determine Link State     Advertisement (LSA) recency for LSAs with     MaxSequenceNumber. According to RFC 2328 section 13.1,     for two instances of the same LSA, recency is     determined by first comparing sequence numbers, then     checksums, and finally MaxAge. In a case where the     sequence numbers are the same, the LSA with the larger     checksum is considered more recent, and will not be     flushed from the Link State Database (LSDB). Since the     RFC does not explicitly state that the values of links     carried by a LSA must be the same when prematurely     aging a self-originating LSA with MaxSequenceNumber, it     is possible in vulnerable OSPF implementations for an     attacker to craft a LSA with MaxSequenceNumber and     invalid links that will result in a larger checksum and     thus a 'newer' LSA that will not be flushed from the     LSDB. Propagation of the crafted LSA can result in the     erasure or alteration of the routing tables of routers     within the routing domain, creating a denial of service     condition or the re-routing of traffic on the network.
    CVE-2017-3224 has been reserved for Quagga and     downstream implementations (SUSE, openSUSE, and Red Hat     packages).(CVE-2017-3224)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in     Quagga does not perform size checks when dumping data,     which might allow remote attackers to cause a denial of     service (assertion failure and daemon crash) via a     large BGP packet.(CVE-2016-4049)

  - The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in     the VPNv4 NLRI parser in bgpd in Quagga before     1.0.20160309, when a certain VPNv4 configuration is     used, relies on a Labeled-VPN SAFI routes-data length     field during a data copy, which allows remote attackers     to execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted     packet.(CVE-2016-2342)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can     overrun internal BGP code-to-string conversion tables     used for debug by 1 pointer value, based on     input.(CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has     a bug in its parsing of 'Capabilities' in BGP OPEN     messages, in the bgp_packet.c:bgp_capability_msg_parse     function. The parser can enter an infinite loop on     invalid capabilities if a Multi-Protocol capability     does not have a recognized AFI/SAFI, causing a denial     of service.(CVE-2018-5381)

  - It was discovered that the zebra daemon in Quagga     before 1.0.20161017 suffered from a stack-based buffer     overflow when processing IPv6 Neighbor Discovery     messages. The root cause was relying on BUFSIZ to be     compatible with a message size however, BUFSIZ is     system-dependent.(CVE-2016-1245)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 4.05, has quagga packages installed that are affected by multiple vulnerabilities:

  - A denial of service flaw affecting various daemons in     Quagga was found. A remote attacker could use this flaw     to cause the various Quagga daemons, which expose their     telnet interface, to crash. (CVE-2017-5495)

  - A stack-based buffer overflow flaw was found in the way     Quagga handled IPv6 router advertisement messages. A     remote attacker could use this flaw to crash the zebra     daemon resulting in denial of service. (CVE-2016-1245)

  - A denial of service flaw was found in the Quagga BGP     routing daemon (bgpd). Under certain circumstances, a     remote attacker could send a crafted packet to crash the     bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

  - A stack-based buffer overflow flaw was found in the way     the Quagga BGP routing daemon (bgpd) handled Labeled-VPN     SAFI routes data. A remote attacker could use this flaw     to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-2342)

  - A stack-based buffer overflow flaw was found in the way     the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this     flaw to crash the ospfd daemon resulting in denial of     service. (CVE-2013-2236)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - A stack-based buffer overflow flaw was found in the way     Quagga handled IPv6 router advertisement messages. A     remote attacker could use this flaw to crash the zebra     daemon resulting in denial of service. (CVE-2016-1245)

  - A stack-based buffer overflow flaw was found in the way     the Quagga BGP routing daemon (bgpd) handled Labeled-VPN     SAFI routes data. A remote attacker could use this flaw     to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-2342)

  - A denial of service flaw was found in the Quagga BGP     routing daemon (bgpd). Under certain circumstances, a     remote attacker could send a crafted packet to crash the     bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

  - A denial of service flaw affecting various daemons in     Quagga was found. A remote attacker could use this flaw     to cause the various Quagga daemons, which expose their     telnet interface, to crash. (CVE-2017-5495)

  - A stack-based buffer overflow flaw was found in the way     the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this     flaw to crash the ospfd daemon resulting in denial of     service. (CVE-2013-2236)

From Red Hat Security Advisory 2017:0794 :

An update for quagga is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector.

Security Fix(es) :

* A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245)

* A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342)

* A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049)

* A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash.
(CVE-2017-5495)

* A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

An update for quagga is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector.

Security Fix(es) :

* A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245)

* A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342)

* A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049)

* A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash.
(CVE-2017-5495)

* A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

This update addresses multiple security problems and fixes systemd dependencies.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201610-03 (Quagga: Arbitrary code execution)

    A memcpy function in the VPNv4 NLRI parser of bgp_mplsvpn.c does not       properly check the upper-bound length of received Labeled-VPN SAFI routes       data, which may allow for arbitrary code execution on the stack.
  Impact :

    A remote attacker could send a specially crafted packet, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This update for quagga fixes the following security issue :

  - CVE-2016-2342: Quagga was extended the prefixlen check     to ensure it is within the bound of the NLRI packet data     and the on-stack prefix structure and the maximum size     for the address family (bsc#970952).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Kostya Kortchinsky discovered a stack-based buffer overflow vulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIP routing daemon. A remote attacker can exploit this flaw to cause a denial of service (daemon crash), or potentially, execution of arbitrary code, if bgpd is configured with BGP peers enabled for VPNv4.

Kostya Kortchinsky discovered that Quagga incorrectly handled certain route data when configured with BGP peers enabled for VPNv4. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-2342)

It was discovered that Quagga incorrectly handled messages with a large LSA when used in certain configurations. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for quagga fixes the following security issue :

  - CVE-2016-2342: Quagga was extended the prefixlen check     to ensure it is within the bound of the NLRI packet data     and the on-stack prefix structure and the maximum size     for the address family (bsc#970952).

Donald Sharp reports :

A malicious BGP peer may execute arbitrary code in particularly configured remote bgpd hosts.

ID	Name	Product	Family	Severity
131900	EulerOS 2.0 SP2 : quagga (EulerOS-SA-2019-2408)	Nessus	Huawei Local Security Checks	high
127329	NewStart CGSL MAIN 4.05 : quagga Multiple Vulnerabilities (NS-SA-2019-0101)	Nessus	NewStart CGSL Local Security Checks	high
99223	Scientific Linux Security Update : quagga on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
99073	Oracle Linux 6 : quagga (ELSA-2017-0794)	Nessus	Oracle Linux Local Security Checks	high
97961	CentOS 6 : quagga (CESA-2017:0794)	Nessus	CentOS Local Security Checks	high
97885	RHEL 6 : quagga (RHSA-2017:0794)	Nessus	Red Hat Local Security Checks	high
95010	Fedora 25 : quagga (2016-8acc6b66f1)	Nessus	Fedora Local Security Checks	high
94526	Fedora 24 : quagga (2016-cae6456f63)	Nessus	Fedora Local Security Checks	high
94524	Fedora 23 : quagga (2016-568c7ff4f6)	Nessus	Fedora Local Security Checks	high
93945	GLSA-201610-03 : Quagga: Arbitrary code execution	Nessus	Gentoo Local Security Checks	high
90348	SUSE SLES11 Security Update : quagga (SUSE-SU-2016:0946-1)	Nessus	SuSE Local Security Checks	high
90347	SUSE SLES12 Security Update : quagga (SUSE-SU-2016:0936-1)	Nessus	SuSE Local Security Checks	high
90207	Debian DSA-3532-1 : quagga - security update	Nessus	Debian Local Security Checks	high
90188	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : quagga vulnerabilities (USN-2941-1)	Nessus	Ubuntu Local Security Checks	high
90171	openSUSE Security Update : quagga (openSUSE-2016-396)	Nessus	SuSE Local Security Checks	high
90135	openSUSE Security Update : quagga (openSUSE-2016-383)	Nessus	SuSE Local Security Checks	high
89852	FreeBSD : quagga -- stack based buffer overflow vulnerability (70c44cd0-e717-11e5-85be-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high

CVE-2016-2342

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins