Описание
Security update for quagga
This update for quagga fixes the following security issues:
-
The Quagga BGP daemon contained a bug in the AS_PATH size calculation that could have been exploited to facilitate a remote denial-of-service attack via specially crafted BGP UPDATE messages. [CVE-2017-16227, bsc#1065641]
-
The Quagga BGP daemon did not check whether data sent to peers via NOTIFY had an invalid attribute length. It was possible to exploit this issue and cause the bgpd process to leak sensitive information over the network to a configured peer. [CVE-2018-5378, bsc#1079798]
-
The Quagga BGP daemon used to double-free memory when processing certain forms of UPDATE messages. This issue could be exploited by sending an optional/transitive UPDATE attribute that all conforming eBGP speakers should pass along. Consequently, a single UPDATE message could have affected many bgpd processes across a wide area of a network. Through this vulnerability, attackers could potentially have taken over control of affected bgpd processes remotely. [CVE-2018-5379, bsc#1079799]
-
It was possible to overrun internal BGP code-to-string conversion tables in the Quagga BGP daemon. Configured peers could have exploited this issue and cause bgpd to emit debug and warning messages into the logs that would contained arbitrary bytes. [CVE-2018-5380, bsc#1079800]
-
The Quagga BGP daemon could have entered an infinite loop if sent an invalid OPEN message by a configured peer. If this issue was exploited, then bgpd would cease to respond to any other events. BGP sessions would have been dropped and not be reestablished. The CLI interface would have been unresponsive. The bgpd daemon would have stayed in this state until restarted. [CVE-2018-5381, bsc#1079801]
-
The Quagga daemon's telnet 'vty' CLI contains an unbounded memory allocation bug that could be exploited for a denial-of-service attack on the daemon. This issue has been fixed. [CVE-2017-5495, bsc#1021669]
-
The telnet 'vty' CLI of the Quagga daemon is no longer enabled by default, because the passwords in the default 'zebra.conf' config file are now disabled. The vty interface is available via 'vtysh' utility using pam authentication to permit management access for root without password. [bsc#1021669]
Список пакетов
SUSE Linux Enterprise Server 12 SP1-LTSS
SUSE Linux Enterprise Server 12-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP1
SUSE OpenStack Cloud 6
Ссылки
- Link for SUSE-SU-2018:0455-1
- E-Mail link for SUSE-SU-2018:0455-1
- SUSE Security Ratings
- SUSE Bug 1021669
- SUSE Bug 1065641
- SUSE Bug 1079798
- SUSE Bug 1079799
- SUSE Bug 1079800
- SUSE Bug 1079801
- SUSE CVE CVE-2017-16227 page
- SUSE CVE CVE-2017-5495 page
- SUSE CVE CVE-2018-5378 page
- SUSE CVE CVE-2018-5379 page
- SUSE CVE CVE-2018-5380 page
- SUSE CVE CVE-2018-5381 page
Описание
The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.
Затронутые продукты
Ссылки
- CVE-2017-16227
- SUSE Bug 1065641
Описание
All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this vulnerability, prior to authentication. Most distributions restrict the Quagga telnet interface to local access only by default. The Quagga telnet interface 'vty' input buffer grows automatically, without bound, so long as a newline is not entered. This allows an attacker to cause the Quagga daemon to allocate unbounded memory by sending very long strings without a newline. Eventually the daemon is terminated by the system, or the system itself runs out of memory. This is fixed in Quagga 1.1.1 and Free Range Routing (FRR) Protocol Suite 2017-01-10.
Затронутые продукты
Ссылки
- CVE-2017-5495
- SUSE Bug 1021669
Описание
The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.
Затронутые продукты
Ссылки
- CVE-2018-5378
- SUSE Bug 1079798
Описание
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.
Затронутые продукты
Ссылки
- CVE-2018-5379
- SUSE Bug 1079799
Описание
The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.
Затронутые продукты
Ссылки
- CVE-2018-5380
- SUSE Bug 1079800
Описание
The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.
Затронутые продукты
Ссылки
- CVE-2018-5381
- SUSE Bug 1079801