Detections
Analytics
Alpine: multiple quagga packages: security update to 1.1.0-r0 (deprecated)
high Tenable Cloud Security Plugin ID 400941
Description
There are packages installed that are affected by a vulnerability referenced in the following CVE:- All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet
'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons
are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this
vulnerability, prior to authentication. Most distributions restrict the Quagga telnet interface to local
access only by default. The Quagga telnet interface 'vty' input buffer grows automatically, without bound,
so long as a newline is not entered. This allows an attacker to cause the Quagga daemon to allocate
unbounded memory by sending very long strings without a newline. Eventually the daemon is terminated by
the system, or the system itself runs out of memory. This is fixed in Quagga 1.1.1 and Free Range Routing
(FRR) Protocol Suite 2017-01-10. (CVE-2017-5495)
See Also
https://git.alpinelinux.org/aports/commit/?id=8cb97529cbd0002edfdbcd506177625ba89e80f7
https://git.alpinelinux.org/aports/commit/?id=ec34b88925091c8b60fce522f2cf672dbbef689e
Plugin Details
Severity: High
ID: 400941
Version: Revision 1.28
Type: Local
Published: 8/16/2023
Updated: 6/26/2025
Supported Sensors: Agentless Assessment
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS Score Source: CVE-2017-5495
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Patch Publication Date: 1/24/2017
Vulnerability Publication Date: 1/24/2017
Reference Information
CVE: CVE-2017-5495
BID: 95745