The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the zebra daemon in Quagga     before 1.0.20161017 suffered from a stack-based buffer     overflow when processing IPv6 Neighbor Discovery     messages. The root cause was relying on BUFSIZ to be     compatible with a message size however, BUFSIZ is     system-dependent.(CVE-2016-1245)

  - Open Shortest Path First (OSPF) protocol     implementations may improperly determine Link State     Advertisement (LSA) recency for LSAs with     MaxSequenceNumber. According to RFC 2328 section 13.1,     for two instances of the same LSA, recency is     determined by first comparing sequence numbers, then     checksums, and finally MaxAge. In a case where the     sequence numbers are the same, the LSA with the larger     checksum is considered more recent, and will not be     flushed from the Link State Database (LSDB). Since the     RFC does not explicitly state that the values of links     carried by a LSA must be the same when prematurely     aging a self-originating LSA with MaxSequenceNumber, it     is possible in vulnerable OSPF implementations for an     attacker to craft a LSA with MaxSequenceNumber and     invalid links that will result in a larger checksum and     thus a 'newer' LSA that will not be flushed from the     LSDB. Propagation of the crafted LSA can result in the     erasure or alteration of the routing tables of routers     within the routing domain, creating a denial of service     condition or the re-routing of traffic on the network.
    CVE-2017-3224 has been reserved for Quagga and     downstream implementations (SUSE, openSUSE, and Red Hat     packages).(CVE-2017-3224)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in     Quagga does not perform size checks when dumping data,     which might allow remote attackers to cause a denial of     service (assertion failure and daemon crash) via a     large BGP packet.(CVE-2016-4049)

  - The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in     the VPNv4 NLRI parser in bgpd in Quagga before     1.0.20160309, when a certain VPNv4 configuration is     used, relies on a Labeled-VPN SAFI routes-data length     field during a data copy, which allows remote attackers     to execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted     packet.(CVE-2016-2342)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can     overrun internal BGP code-to-string conversion tables     used for debug by 1 pointer value, based on     input.(CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has     a bug in its parsing of 'Capabilities' in BGP OPEN     messages, in the bgp_packet.c:bgp_capability_msg_parse     function. The parser can enter an infinite loop on     invalid capabilities if a Multi-Protocol capability     does not have a recognized AFI/SAFI, causing a denial     of service.(CVE-2018-5381)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Open Shortest Path First (OSPF) protocol     implementations may improperly determine Link State     Advertisement (LSA) recency for LSAs with     MaxSequenceNumber. According to RFC 2328 section 13.1,     for two instances of the same LSA, recency is     determined by first comparing sequence numbers, then     checksums, and finally MaxAge. In a case where the     sequence numbers are the same, the LSA with the larger     checksum is considered more recent, and will not be     flushed from the Link State Database (LSDB). Since the     RFC does not explicitly state that the values of links     carried by a LSA must be the same when prematurely     aging a self-originating LSA with MaxSequenceNumber, it     is possible in vulnerable OSPF implementations for an     attacker to craft a LSA with MaxSequenceNumber and     invalid links that will result in a larger checksum and     thus a 'newer' LSA that will not be flushed from the     LSDB. Propagation of the crafted LSA can result in the     erasure or alteration of the routing tables of routers     within the routing domain, creating a denial of service     condition or the re-routing of traffic on the network.
    CVE-2017-3224 has been reserved for Quagga and     downstream implementations (SUSE, openSUSE, and Red Hat     packages).(CVE-2017-3224)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in     Quagga does not perform size checks when dumping data,     which might allow remote attackers to cause a denial of     service (assertion failure and daemon crash) via a     large BGP packet.(CVE-2016-4049)

  - The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in     the VPNv4 NLRI parser in bgpd in Quagga before     1.0.20160309, when a certain VPNv4 configuration is     used, relies on a Labeled-VPN SAFI routes-data length     field during a data copy, which allows remote attackers     to execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted     packet.(CVE-2016-2342)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can     overrun internal BGP code-to-string conversion tables     used for debug by 1 pointer value, based on     input.(CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has     a bug in its parsing of 'Capabilities' in BGP OPEN     messages, in the bgp_packet.c:bgp_capability_msg_parse     function. The parser can enter an infinite loop on     invalid capabilities if a Multi-Protocol capability     does not have a recognized AFI/SAFI, causing a denial     of service.(CVE-2018-5381)

  - It was discovered that the zebra daemon in Quagga     before 1.0.20161017 suffered from a stack-based buffer     overflow when processing IPv6 Neighbor Discovery     messages. The root cause was relying on BUFSIZ to be     compatible with a message size however, BUFSIZ is     system-dependent.(CVE-2016-1245)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the zebra daemon in Quagga     before 1.0.20161017 suffered from a stack-based buffer     overflow when processing IPv6 Neighbor Discovery     messages. The root cause was relying on BUFSIZ to be     compatible with a message size however, BUFSIZ is     system-dependent.(CVE-2016-1245)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can     overrun internal BGP code-to-string conversion tables     used for debug by 1 pointer value, based on     input.(CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has     a bug in its parsing of 'Capabilities' in BGP OPEN     messages, in the bgp_packet.c:bgp_capability_msg_parse     function. The parser can enter an infinite loop on     invalid capabilities if a Multi-Protocol capability     does not have a recognized AFI/SAFI, causing a denial     of service.(CVE-2018-5381)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host has been identified as a RuggedCom server prior to v2.13.0, and is therefore affected by multiple vulnerabilities in the included Quagga package :

 - The Quagga BGP daemon used to double-free memory when processing certain forms of UPDATE messages. This issue could be exploited by sending an optional/transitive UPDATE attribute that all conforming eBGP speakers should pass along. Consequently, a single UPDATE message could have affected many bgpd processes across a wide area of a network. Through this vulnerability, attackers could potentially have taken over control of affected bgpd processes remotely. (CVE-2018-5379)
 - It was possible to overrun internal BGP code-to-string conversion tables in the Quagga BGP daemon. Configured peers could have exploited this issue and cause bgpd to emit debug and warning messages into the logs that would contained arbitrary bytes. (CVE-2018-5380)
 - The Quagga BGP daemon could have entered an infinite loop if sent an invalid OPEN message by a configured peer. If this issue was exploited, then bgpd would cease to respond to any other events. BGP sessions would have been dropped and not be reestablished. The CLI interface would have been unresponsive. The bgpd daemon would have stayed in this state until restarted. (CVE-2018-5381)

The remote host is affected by the vulnerability described in GLSA-201804-17 (Quagga: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Quagga. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker, by sending specially crafted packets, could execute       arbitrary code or cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Fixed CVE-2018-5379 - Double free vulnerability in bgpd when processing

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Infinite loop issue triggered by invalid OPEN message allows denial-of-service

An infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted.(CVE-2018-5381)

Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code

A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.(CVE-2018-5379)

bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash

A vulnerability was found in Quagga, in the log formatting code.
Specially crafted messages sent by BGP peers could cause Quagga to read one element past the end of certain static arrays, causing arbitrary binary data to appear in the logs or potentially, a crash.(CVE-2018-5380)

This update for quagga fixes the following issues :

  - CVE-2017-16227: Fixed bgpd DoS via specially crafted BGP     UPDATE messages (boo#1065641)

  - CVE-2018-5378: Fixed bgpd bounds check issue via     attribute length (Quagga-2018-0543,boo#1079798)

  - CVE-2018-5379: Fixed bgpd double free when processing     UPDATE message (Quagga-2018-1114,boo#1079799)

  - CVE-2018-5380: Fixed bgpd code-to-string conversion     tables overrun (Quagga-2018-1550,boo#1079800)

  - CVE-2018-5381: Fixed bgpd infinite loop on certain     invalid OPEN messages (Quagga-2018-1975,boo#1079801)

Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues :

CVE-2018-5378

It was discovered that the Quagga BGP daemon, bgpd, does not properly bounds check data sent with a NOTIFY to a peer, if an attribute length is invalid. A configured BGP peer can take advantage of this bug to read memory from the bgpd process or cause a denial of service (daemon crash).

https://www.quagga.net/security/Quagga-2018-0543.txt

CVE-2018-5379

It was discovered that the Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes, resulting in a denial of service (bgpd daemon crash).

https://www.quagga.net/security/Quagga-2018-1114.txt

CVE-2018-5380

It was discovered that the Quagga BGP daemon, bgpd, does not properly handle internal BGP code-to-string conversion tables.

https://www.quagga.net/security/Quagga-2018-1550.txt

CVE-2018-5381

It was discovered that the Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer. A configured peer can take advantage of this flaw to cause a denial of service (bgpd daemon not responding to any other events; BGP sessions will drop and not be reestablished; unresponsive CLI interface).

https://www.quagga.net/security/Quagga-2018-1975.txt

For Debian 7 'Wheezy', these problems have been fixed in version 0.99.22.4-1+wheezy3+deb7u3.

We recommend that you upgrade your quagga packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a double-free vulnerability existed in the Quagga BGP daemon when processing certain forms of UPDATE message. A remote attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2018-5379)

It was discovered that the Quagga BGP daemon did not properly bounds check the data sent with a NOTIFY to a peer. An attacker could use this to expose sensitive information or possibly cause a denial of service. This issue only affected Ubuntu 17.10. (CVE-2018-5378)

It was discovered that a table overrun vulnerability existed in the Quagga BGP daemon. An attacker in control of a configured peer could use this to possibly expose sensitive information or possibly cause a denial of service. (CVE-2018-5380)

It was discovered that the Quagga BGP daemon in some configurations did not properly handle invalid OPEN messages. An attacker in control of a configured peer could use this to cause a denial of service (infinite loop). (CVE-2018-5381).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for quagga fixes the following issues :

  - The Quagga BGP daemon contained a bug in the AS_PATH     size calculation that could have been exploited to     facilitate a remote denial-of-service attack via     specially crafted BGP UPDATE messages. [CVE-2017-16227,     bsc#1065641]

  - The Quagga BGP daemon did not check whether data sent to     peers via NOTIFY had an invalid attribute length. It was     possible to exploit this issue and cause the bgpd     process to leak sensitive information over the network     to a configured peer. [CVE-2018-5378, bsc#1079798]

  - The Quagga BGP daemon used to double-free memory when     processing certain forms of UPDATE messages. This issue     could be exploited by sending an optional/transitive     UPDATE attribute that all conforming eBGP speakers     should pass along. Consequently, a single UPDATE message     could have affected many bgpd processes across a wide     area of a network. Through this vulnerability, attackers     could potentially have taken over control of affected     bgpd processes remotely. [CVE-2018-5379, bsc#1079799]

  - It was possible to overrun internal BGP code-to-string     conversion tables in the Quagga BGP daemon. Configured     peers could have exploited this issue and cause bgpd to     emit debug and warning messages into the logs that would     contained arbitrary bytes. [CVE-2018-5380, bsc#1079800]

  - The Quagga BGP daemon could have entered an infinite     loop if sent an invalid OPEN message by a configured     peer. If this issue was exploited, then bgpd would cease     to respond to any other events. BGP sessions would have     been dropped and not be reestablished. The CLI interface     would have been unresponsive. The bgpd daemon would have     stayed in this state until restarted. [CVE-2018-5381,     bsc#1079801]

  - The Quagga daemon's telnet 'vty' CLI contains an     unbounded memory allocation bug that could be exploited     for a denial-of-service attack on the daemon. This issue     has been fixed. [CVE-2017-5495, bsc#1021669]

  - The telnet 'vty' CLI of the Quagga daemon is no longer     enabled by default, because the passwords in the default     'zebra.conf' config file are now disabled. The vty     interface is available via 'vtysh' utility using pam     authentication to permit management access for root     without password. [bsc#1021669]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for quagga fixes the security following issues :

  - The Quagga BGP daemon contained a bug in the AS_PATH     size calculation that could have been exploited to     facilitate a remote denial-of-service attack via     specially crafted BGP UPDATE messages. [CVE-2017-16227,     bsc#1065641]

  - The Quagga BGP daemon did not check whether data sent to     peers via NOTIFY had an invalid attribute length. It was     possible to exploit this issue and cause the bgpd     process to leak sensitive information over the network     to a configured peer. [CVE-2018-5378, bsc#1079798]

  - The Quagga BGP daemon used to double-free memory when     processing certain forms of UPDATE messages. This issue     could be exploited by sending an optional/transitive     UPDATE attribute that all conforming eBGP speakers     should pass along. Consequently, a single UPDATE message     could have affected many bgpd processes across a wide     area of a network. Through this vulnerability, attackers     could potentially have taken over control of affected     bgpd processes remotely. [CVE-2018-5379, bsc#1079799]

  - It was possible to overrun internal BGP code-to-string     conversion tables in the Quagga BGP daemon. Configured     peers could have exploited this issue and cause bgpd to     emit debug and warning messages into the logs that would     contained arbitrary bytes. [CVE-2018-5380, bsc#1079800]

  - The Quagga BGP daemon could have entered an infinite     loop if sent an invalid OPEN message by a configured     peer. If this issue was exploited, then bgpd would cease     to respond to any other events. BGP sessions would have     been dropped and not be reestablished. The CLI interface     would have been unresponsive. The bgpd daemon would have     stayed in this state until restarted. [CVE-2018-5381,     bsc#1079801]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for quagga fixes the following security issues :

  - The Quagga BGP daemon contained a bug in the AS_PATH     size calculation that could have been exploited to     facilitate a remote denial-of-service attack via     specially crafted BGP UPDATE messages. [CVE-2017-16227,     bsc#1065641]

  - The Quagga BGP daemon did not check whether data sent to     peers via NOTIFY had an invalid attribute length. It was     possible to exploit this issue and cause the bgpd     process to leak sensitive information over the network     to a configured peer. [CVE-2018-5378, bsc#1079798]

  - The Quagga BGP daemon used to double-free memory when     processing certain forms of UPDATE messages. This issue     could be exploited by sending an optional/transitive     UPDATE attribute that all conforming eBGP speakers     should pass along. Consequently, a single UPDATE message     could have affected many bgpd processes across a wide     area of a network. Through this vulnerability, attackers     could potentially have taken over control of affected     bgpd processes remotely. [CVE-2018-5379, bsc#1079799]

  - It was possible to overrun internal BGP code-to-string     conversion tables in the Quagga BGP daemon. Configured     peers could have exploited this issue and cause bgpd to     emit debug and warning messages into the logs that would     contained arbitrary bytes. [CVE-2018-5380, bsc#1079800]

  - The Quagga BGP daemon could have entered an infinite     loop if sent an invalid OPEN message by a configured     peer. If this issue was exploited, then bgpd would cease     to respond to any other events. BGP sessions would have     been dropped and not be reestablished. The CLI interface     would have been unresponsive. The bgpd daemon would have     stayed in this state until restarted. [CVE-2018-5381,     bsc#1079801]

  - The Quagga daemon's telnet 'vty' CLI contains an     unbounded memory allocation bug that could be exploited     for a denial-of-service attack on the daemon. This issue     has been fixed. [CVE-2017-5495, bsc#1021669]

  - The telnet 'vty' CLI of the Quagga daemon is no longer     enabled by default, because the passwords in the default     'zebra.conf' config file are now disabled. The vty     interface is available via 'vtysh' utility using pam     authentication to permit management access for root     without password. [bsc#1021669]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Quagga reports :

The Quagga BGP daemon, bgpd, does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid.
Arbitrary data from the bgpd process may be sent over the network to a peer and/or it may crash.

The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes.

The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

The Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid OPEN message by a configured peer.

Several vulnerabilities have been discovered in Quagga, a routing daemon. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2018-5378     It was discovered that the Quagga BGP daemon, bgpd, does     not properly bounds check data sent with a NOTIFY to a     peer, if an attribute length is invalid. A configured     BGP peer can take advantage of this bug to read memory     from the bgpd process or cause a denial of service     (daemon crash).

  https://www.quagga.net/security/Quagga-2018-0543.txt

  - CVE-2018-5379     It was discovered that the Quagga BGP daemon, bgpd, can     double-free memory when processing certain forms of     UPDATE message, containing cluster-list and/or unknown     attributes, resulting in a denial of service (bgpd     daemon crash).

  https://www.quagga.net/security/Quagga-2018-1114.txt

  - CVE-2018-5380     It was discovered that the Quagga BGP daemon, bgpd, does     not properly handle internal BGP code-to-string     conversion tables.

  https://www.quagga.net/security/Quagga-2018-1550.txt

  - CVE-2018-5381     It was discovered that the Quagga BGP daemon, bgpd, can     enter an infinite loop if sent an invalid OPEN message     by a configured peer. A configured peer can take     advantage of this flaw to cause a denial of service     (bgpd daemon not responding to any other events; BGP     sessions will drop and not be reestablished;
    unresponsive CLI interface).

  https://www.quagga.net/security/Quagga-2018-1975.txt

ID	Name	Product	Family	Severity
132192	EulerOS 2.0 SP3 : quagga (EulerOS-SA-2019-2657)	Nessus	Huawei Local Security Checks	critical
131900	EulerOS 2.0 SP2 : quagga (EulerOS-SA-2019-2408)	Nessus	Huawei Local Security Checks	critical
130690	EulerOS 2.0 SP5 : quagga (EulerOS-SA-2019-2228)	Nessus	Huawei Local Security Checks	critical
700524	Siemens RuggedCom Server < v2.13.0 Multiple Vulnerabilities	Nessus Network Monitor	SCADA	critical
109231	GLSA-201804-17 : Quagga: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
107174	Fedora 26 : quagga (2018-b3e985489b)	Nessus	Fedora Local Security Checks	critical
107171	Fedora 27 : quagga (2018-9cd3ff3784)	Nessus	Fedora Local Security Checks	critical
106934	Amazon Linux AMI : quagga (ALAS-2018-957)	Nessus	Amazon Linux Local Security Checks	critical
106895	openSUSE Security Update : quagga (openSUSE-2018-177)	Nessus	SuSE Local Security Checks	critical
106873	Debian DLA-1286-1 : quagga security update	Nessus	Debian Local Security Checks	critical
106869	Ubuntu 14.04 LTS / 16.04 LTS : Quagga vulnerabilities (USN-3573-1)	Nessus	Ubuntu Local Security Checks	critical
106868	SUSE SLES11 Security Update : quagga (SUSE-SU-2018:0457-1)	Nessus	SuSE Local Security Checks	critical
106867	SUSE SLES12 Security Update : quagga (SUSE-SU-2018:0456-1)	Nessus	SuSE Local Security Checks	critical
106866	SUSE SLES12 Security Update : quagga (SUSE-SU-2018:0455-1)	Nessus	SuSE Local Security Checks	critical
106859	FreeBSD : quagga -- several security issues (e15a22ce-f16f-446b-9ca7-6859350c2e75)	Nessus	FreeBSD Local Security Checks	critical
106854	Debian DSA-4115-1 : quagga - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2018-5381

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical