All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of
service.
Scope of vulnerability:
-----------------------
All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
hostile parties.
Impact:
-------
Affected daemons can be made to crash by sending a malformed telnet
command.
Description:
------------
The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.
Workaround:
-----------
Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.
Alternatively, disable external vty access completely by removing the
vty password (and restarting) or passing the '-P 0' parameters to the
daemon.
Solution:
-----------
Quagga version 0.96.4 contains a fix for this bug. Alternatively, one
can manually apply the fix to whichever sources one uses currently.
(See the RedHat bugzilla entry referenced below for the fix).
Credits:
--------
Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for
fixing the bug.
The RedHat Advisory references a second vulnerability in GNU Zebra
and Quagga, regarding the zebra daemon accepting netlink messages
from any user. This vulnerability will be dealt with as soon as
possible.
regards,
--
Paul Jakma paul (at) clubi (dot) ie [email concealed] paul (at) jakma (dot) org [email concealed] Key ID: 64A2FF6A
warning: do not ever send email to spam (at) dishone (dot) st [email concealed]
Fortune:
Factorials were someone's attempt to make math LOOK exciting.
--------
All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of
service.
Scope of vulnerability:
-----------------------
All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
hostile parties.
Impact:
-------
Affected daemons can be made to crash by sending a malformed telnet
command.
Description:
------------
The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.
Workaround:
-----------
Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.
Alternatively, disable external vty access completely by removing the
vty password (and restarting) or passing the '-P 0' parameters to the
daemon.
Solution:
-----------
Quagga version 0.96.4 contains a fix for this bug. Alternatively, one
can manually apply the fix to whichever sources one uses currently.
(See the RedHat bugzilla entry referenced below for the fix).
Credits:
--------
Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for
fixing the bug.
References:
----------
RedHat Advisory RHSA-2003:307-09,
http://rhn.redhat.com/errata/RHSA-2003-307.html
RedHat Bugzilla entry 107140,
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140
CAN-2003-0795
Footnote:
---------
The RedHat Advisory references a second vulnerability in GNU Zebra
and Quagga, regarding the zebra daemon accepting netlink messages
from any user. This vulnerability will be dealt with as soon as
possible.
regards,
--
Paul Jakma paul (at) clubi (dot) ie [email concealed] paul (at) jakma (dot) org [email concealed] Key ID: 64A2FF6A
warning: do not ever send email to spam (at) dishone (dot) st [email concealed]
Fortune:
Factorials were someone's attempt to make math LOOK exciting.
[ reply ]