Quagga < 0.99.22.2 OSPF API Buffer Overflow

low Nessus Plugin ID 70761

Synopsis

The remote service may be affected by a buffer overflow vulnerability.

Description

According to its self-reported version number, the installation of Quagga listening on the remote host is potentially affected by a stack-based buffer overflow that occurs in the OSPF API server ('ospf_api.c') when it receives an LSA larger than 1488 bytes.

The vulnerability is only present when Quagga is compiled with the '--enable-opaque-lsa' flag and the OSPF API server is running (ospfd is run with the '-a' parameter). Exploitation of this issue may lead to a denial of service or arbitrary code execution.

Solution

Upgrade to version 0.99.22.2 or later.

See Also

https://lists.quagga.net/pipermail/quagga-dev/2013-July/010622.html

http://www.nessus.org/u?9cfd7251

http://nongnu.askapache.com//quagga/quagga-0.99.22.3.changelog.txt

Plugin Details

Severity: Low

ID: 70761

File Name: quagga_0_99_22_2.nasl

Version: 1.6

Type: remote

Family: Misc.

Published: 11/5/2013

Updated: 11/27/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2013-2236

Vulnerability Information

CPE: cpe:/a:quagga:quagga

Required KB Items: Settings/ParanoidReport, Quagga/Installed

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2013

Vulnerability Publication Date: 7/2/2013

Reference Information

CVE: CVE-2013-2236

BID: 60955