Oracle Solaris Third-Party Patch Update : quagga (multiple_denial_of_service_vulnerabilities4)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- bgpd in Quagga before 0.99.9 allows explicitly
configured BGP peers to cause a denial of service
(crash) via a malformed (1) OPEN message or (2) a
COMMUNITY attribute, which triggers a NULL pointer
dereference. NOTE: vector 2 only exists when debugging
is enabled. (CVE-2007-4826)

- The BGP daemon (bgpd) in Quagga 0.99.11 and earlier
allows remote attackers to cause a denial of service
(crash) via an AS path containing ASN elements whose
string representation is longer than expected, which
triggers an assert error. (CVE-2009-1572)

- The extended-community parser in bgpd in Quagga before
0.99.18 allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash)
via a malformed Extended Communities attribute.
(CVE-2010-1674)

- bgpd in Quagga before 0.99.18 allows remote attackers to
cause a denial of service (session reset) via a
malformed AS_PATHLIMIT path attribute. (CVE-2010-1675)

- Stack-based buffer overflow in the
bgp_route_refresh_receive function in bgp_packet.c in
bgpd in Quagga before 0.99.17 allows remote
authenticated users to cause a denial of service (daemon
crash) or possibly execute arbitrary code via a
malformed Outbound Route Filtering (ORF) record in a BGP
ROUTE-REFRESH (RR) message. (CVE-2010-2948)

- bgpd in Quagga before 0.99.17 does not properly parse AS
paths, which allows remote attackers to cause a denial
of service (NULL pointer dereference and daemon crash)
via an unknown AS type in an AS path attribute in a BGP
UPDATE message. (CVE-2010-2949)

- The OSPFv3 implementation in ospf6d in Quagga before
0.99.19 allows remote attackers to cause a denial of
service (out-of-bounds memory access and daemon crash)
via a Link State Update message with an invalid IPv6
prefix length. (CVE-2011-3323)

- The ospf6_lsa_is_changed function in ospf6_lsa.c in the
OSPFv3 implementation in ospf6d in Quagga before 0.99.19
allows remote attackers to cause a denial of service
(assertion failure and daemon exit) via trailing zero
values in the Link State Advertisement (LSA) header list
of an IPv6 Database Description message. (CVE-2011-3324)

- ospf_packet.c in ospfd in Quagga before 0.99.19 allows
remote attackers to cause a denial of service (daemon
crash) via (1) a 0x0a type field in an IPv4 packet
header or (2) a truncated IPv4 Hello packet.
(CVE-2011-3325)

- The ospf_flood function in ospf_flood.c in ospfd in
Quagga before 0.99.19 allows remote attackers to cause a
denial of service (daemon crash) via an invalid Link
State Advertisement (LSA) type in an IPv4 Link State
Update message. (CVE-2011-3326)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?5437d247
http://www.nessus.org/u?2e395ea1

Solution :

Upgrade to Solaris 11/11 SRU 4.

Risk factor :

Medium / CVSS Base Score : 6.5
(CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

Family: Solaris Local Security Checks

Nessus Plugin ID: 80751 ()

Bugtraq ID:

CVE ID: CVE-2007-4826
CVE-2009-1572
CVE-2010-1674
CVE-2010-1675
CVE-2010-2948
CVE-2010-2949
CVE-2011-3323
CVE-2011-3324
CVE-2011-3325
CVE-2011-3326

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now