7.5 - VU#668534

Executive Summary

Summary
Title	Multiple Quagga remote component vulnerabilities

Informations
Name	VU#668534	First vendor Publication	2011-09-26
Vendor	VU-CERT	Last vendor Modification	2011-09-26
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#668534

Multiple Quagga remote component vulnerabilities

Overview

Quagga contains five remote component vulnerabilities due to issues when handling BGP, OSPF, and OSPFv3 packets.

I. Description

CERT-FI reports:

Quagga is an open source routing software that can handle various routing protocols such as RIP, BGP and OSPF. Five vulnerabilities have been found in the BGP, OSPF and OSPFv3 components of Quagga. The vulnerabilities allow an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified packets to an affected server. Routing messages are typically accepted from the routing peers. Exploiting these vulnerabilities may require an established routing session (BGP peering or OSPF/OSPFv3 adjacency) to the router.

The vulnerability CVE-2011-3327 is related to the extended communities handling in BGP messages. Receiving a malformed BGP update can result in a buffer overflow and disruption of IPv4 routing.

The vulnerability CVE-2011-3326 results from the handling of LSA (Link State Advertisement) states in the OSPF service. Receiving a modified Link State Update message with malicious state information can result in denial of service in IPv4 routing.

The vulnerability CVE-2011-3325 is a denial of service vulnerability related to Hello message handling by the OSPF service. As Hello messages are used to initiate adjacencies, exploiting the vulnerability may be feasible from the same broadcast domain without an established adjacency. A malformed packet may result in denial of service in IPv4 routing.

The vulnerabilities CVE-2011-3324 and CVE-2011-3323 are related to the IPv6 routing protocol (OSPFv3) implemented in ospf6d daemon. Receiving modified Database Description and Link State Update messages, respectively, can result in denial of service in IPv6 routing.

II. Impact

An attacker could exploit these vulnerabilities to cause a denial-of-service crash or may execute arbitrary code on the affected server with the permissions of the Quagga software.

III. Solution

CERT-FI recommends :

Install either the latest version of Quagga (http://www.quagga.net/) or a fixed version of the software provided by your operating system or application vendor.

The vulnerabilities can be remediated by restricting network access to the routing daemon. Exploiting four of the vulnerabilities require established routing sessions or adjacencies.

Vendor Information

Quagga before version 0.99.19

Vendor	Status	Date Notified	Date Updated
Apple Inc.	Unknown	2011-09-14	2011-09-14
Conectiva Inc.	Unknown	2011-09-14	2011-09-14
Cray Inc.	Unknown	2011-09-14	2011-09-14
Debian GNU/Linux	Unknown	2011-09-14	2011-09-14
DragonFly BSD Project	Unknown	2011-09-14	2011-09-14
EMC Corporation	Unknown	2011-09-14	2011-09-14
Engarde Secure Linux	Unknown	2011-09-14	2011-09-14
F5 Networks, Inc.	Unknown	2011-09-14	2011-09-14
Fedora Project	Unknown	2011-09-14	2011-09-14
FreeBSD Project	Unknown	2011-09-14	2011-09-14
Fujitsu	Unknown	2011-09-14	2011-09-14
Gentoo Linux	Unknown	2011-09-14	2011-09-14
Google	Unknown	2011-09-14	2011-09-14
Hewlett-Packard Company	Unknown	2011-09-14	2011-09-14
Hitachi	Unknown	2011-09-14	2011-09-14
IBM Corporation	Unknown	2011-09-14	2011-09-14
IBM Corporation (zseries)	Unknown	2011-09-14	2011-09-14
IBM eServer	Unknown	2011-09-14	2011-09-14
Infoblox	Unknown	2011-09-14	2011-09-14
Juniper Networks, Inc.	Unknown	2011-09-14	2011-09-14
Mandriva S. A.	Unknown	2011-09-14	2011-09-14
Microsoft Corporation	Unknown	2011-09-14	2011-09-14
NEC Corporation	Unknown	2011-09-14	2011-09-14
NetBSD	Unknown	2011-09-14	2011-09-14
Nokia	Unknown	2011-09-14	2011-09-14
Novell, Inc.	Unknown	2011-09-14	2011-09-14
OpenBSD	Unknown	2011-09-14	2011-09-14
Openwall GNU/*/Linux	Not Affected	2011-09-14	2011-09-16
Oracle Corporation	Unknown	2011-09-14	2011-09-14
QNX Software Systems Inc.	Unknown	2011-09-14	2011-09-14
Red Hat, Inc.	Affected	2011-09-14	2011-09-26
SafeNet	Unknown	2011-09-14	2011-09-14
Silicon Graphics, Inc.	Unknown	2011-09-14	2011-09-14
Slackware Linux Inc.	Unknown	2011-09-14	2011-09-14
Sony Corporation	Unknown	2011-09-14	2011-09-14
Sun Microsystems, Inc.	Unknown	2011-09-14	2011-09-14
SUSE Linux	Unknown	2011-09-14	2011-09-14
The SCO Group	Unknown	2011-09-14	2011-09-14
Turbolinux	Unknown	2011-09-14	2011-09-14
Ubuntu	Unknown	2011-09-16	2011-09-16
Unisys	Unknown	2011-09-14	2011-09-14
Wind River Systems, Inc.	Not Affected	2011-09-14	2011-09-22

References

https://www.cert.fi/en/reports/2011/vulnerability539178.html

Credit

Thanks to Riku Hietamäki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project for reporting this vulnerability to CERT-FI.

This document was written by Michael Orlando.

Other Information

Date Public:	2011-09-26
Date First Published:	2011-09-26
Date Last Updated:	2011-09-26
CERT Advisory:
CVE-ID(s):	CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327
NVD-ID(s):	CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327
US-CERT Technical Alerts:
Severity Metric:	15.69
Document Revision:	9

Original Source

Url : http://www.kb.cert.org/vuls/id/668534

CWE : Common Weakness Enumeration

%	Id	Name
60 %	CWE-399	Resource Management Errors
40 %	CWE-119	Failure to Constrain Operations within the Bounds of a Memory Buffer

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:15155

Oval ID:	oval:org.mitre.oval:def:15155
Title:	DSA-2316-1 quagga -- several
Description:	Riku Hietamaki, Tuomo Untinen and Jukka Taimisto discovered several vulnerabilities in Quagga, an Internet routing daemon: CVE-2011-3323 A stack-based buffer overflow while decoding Link State Update packets with a malformed Inter Area Prefix LSA can cause the ospf6d process to crash or execute arbitrary code. CVE-2011-3324 The ospf6d process can crash while processing a Database Description packet with a crafted Link-State-Advertisement. CVE-2011-3325 The ospfd process can crash while processing a crafted Hello packet. CVE-2011-3326 The ospfd process crashes while processing Link-State-Advertisements of a type not known to Quagga. CVE-2011-3327 A heap-based buffer overflow while processing BGP UPDATE messages containing an Extended Communities path attribute can cause the bgpd process to crash or execute arbitrary code. The OSPF-related vulnerabilities require that potential attackers send packets to a vulnerable Quagga router; the packets are not distributed over OSPF. In contrast, the BGP UPDATE messages could be propagated by some routers.
Family:	unix	Class:	patch
Reference(s):	DSA-2316-1 CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327	Version:	5
Platform(s):	Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0	Product(s):	quagga
Definition Synopsis:
Release section Debian GNU/Linux 5.0 is installed AND Installed architecture is all AND quagga DPKG is earlier than 0.99.10-1lenny6 OR Release section Debian 6.0 is installed AND GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND Installed architecture is all AND quagga DPKG is earlier than 0.99.17-2+squeeze3

Definition Id: oval:org.mitre.oval:def:15222

Oval ID:	oval:org.mitre.oval:def:15222
Title:	USN-1261-1 -- Quagga vulnerabilities
Description:	quagga: BGP/OSPF/RIP routing daemon Quagga could be made to crash or run programs if it received specially crafted network traffic.
Family:	unix	Class:	patch
Reference(s):	USN-1261-1 CVE-2011-3323 CVE-2011-3324 CVE-2011-3325 CVE-2011-3326 CVE-2011-3327	Version:	5
Platform(s):	Ubuntu 11.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 10.10	Product(s):	Quagga
Definition Synopsis:
Release section Ubuntu 11.04 is installed AND Installed architecture is all AND quagga DPKG is earlier than 0.99.17-4ubuntu1.1 OR Release section Ubuntu 11.10 is installed AND Installed architecture is all AND quagga DPKG is earlier than 0.99.18-2ubuntu0.1 OR Release section Ubuntu 10.04 is installed AND Installed architecture is all AND quagga DPKG is earlier than 0.99.15-1ubuntu0.3 OR Release section Ubuntu 10.10 is installed AND Installed architecture is all AND quagga DPKG is earlier than 0.99.17-1ubuntu0.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Quagga cpe:2.3:a:quagga:quagga:0.99.9:::::::* cpe:2.3:a:quagga:quagga:0.99.8:::::::* cpe:2.3:a:quagga:quagga:0.99.7:::::::* cpe:2.3:a:quagga:quagga:0.99.6:::::::* cpe:2.3:a:quagga:quagga:0.99.5:::::::* cpe:2.3:a:quagga:quagga:0.99.4:::::::* cpe:2.3:a:quagga:quagga:0.99.3:::::::* cpe:2.3:a:quagga:quagga:0.99.2:::::::* cpe:2.3:a:quagga:quagga:0.99.18:::::::* cpe:2.3:a:quagga:quagga:0.99.17:::::::* cpe:2.3:a:quagga:quagga:0.99.16:::::::* cpe:2.3:a:quagga:quagga:0.99.15:::::::* cpe:2.3:a:quagga:quagga:0.99.14:::::::* cpe:2.3:a:quagga:quagga:0.99.13:::::::* cpe:2.3:a:quagga:quagga:0.99.12:::::::* cpe:2.3:a:quagga:quagga:0.99.11:::::::* cpe:2.3:a:quagga:quagga:0.99.10:::::::* cpe:2.3:a:quagga:quagga:0.99.1:::::::* cpe:2.3:a:quagga:quagga:0.98.6:::::::* cpe:2.3:a:quagga:quagga:0.98.5:::::::* cpe:2.3:a:quagga:quagga:0.98.4:::::::* cpe:2.3:a:quagga:quagga:0.98.3:::::::* cpe:2.3:a:quagga:quagga:0.98.2:::::::* cpe:2.3:a:quagga:quagga:0.98.1:::::::* cpe:2.3:a:quagga:quagga:0.98.0:::::::* cpe:2.3:a:quagga:quagga:0.97.5:::::::* cpe:2.3:a:quagga:quagga:0.97.4:::::::* cpe:2.3:a:quagga:quagga:0.97.3:::::::* cpe:2.3:a:quagga:quagga:0.97.2:::::::* cpe:2.3:a:quagga:quagga:0.97.1:::::::* cpe:2.3:a:quagga:quagga:0.97.0:::::::* cpe:2.3:a:quagga:quagga:0.96.5:::::::* cpe:2.3:a:quagga:quagga:0.96.4:::::::* cpe:2.3:a:quagga:quagga:0.96.3:::::::* cpe:2.3:a:quagga:quagga:0.96.2:::::::* cpe:2.3:a:quagga:quagga:0.96.1:::::::* cpe:2.3:a:quagga:quagga:0.96:::::::* cpe:2.3:a:quagga:quagga:0.95:::::::* cpe:2.3:a:quagga:quagga:-:::::::*	39

OpenVAS Exploits

Date	Description
2012-09-17	Name : CentOS Update for quagga CESA-2012:1258 centos5 File : nvt/gb_CESA-2012_1258_quagga_centos5.nasl
2012-09-17	Name : CentOS Update for quagga CESA-2012:1259 centos6 File : nvt/gb_CESA-2012_1259_quagga_centos6.nasl
2012-09-17	Name : RedHat Update for quagga RHSA-2012:1258-01 File : nvt/gb_RHSA-2012_1258-01_quagga.nasl
2012-09-17	Name : RedHat Update for quagga RHSA-2012:1259-01 File : nvt/gb_RHSA-2012_1259-01_quagga.nasl
2012-06-22	Name : Fedora Update for quagga FEDORA-2012-9117 File : nvt/gb_fedora_2012_9117_quagga_fc15.nasl
2012-04-23	Name : Fedora Update for quagga FEDORA-2012-5436 File : nvt/gb_fedora_2012_5436_quagga_fc15.nasl
2012-03-19	Name : Fedora Update for quagga FEDORA-2011-13492 File : nvt/gb_fedora_2011_13492_quagga_fc16.nasl
2012-03-12	Name : Gentoo Security Advisory GLSA 201202-02 (Quagga) File : nvt/glsa_201202_02.nasl
2011-11-18	Name : Ubuntu Update for quagga USN-1261-1 File : nvt/gb_ubuntu_USN_1261_1.nasl
2011-10-21	Name : Fedora Update for quagga FEDORA-2011-13499 File : nvt/gb_fedora_2011_13499_quagga_fc14.nasl
2011-10-21	Name : Fedora Update for quagga FEDORA-2011-13504 File : nvt/gb_fedora_2011_13504_quagga_fc15.nasl
2011-10-16	Name : Debian Security Advisory DSA 2316-1 (quagga) File : nvt/deb_2316_1.nasl
2011-10-16	Name : FreeBSD Ports: quagga File : nvt/freebsd_quagga2.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
75732	Quagga bgpd IPv4 AS_PATH UPDATE Message Parsing Overflow
75731	Quagga ospfd Link State Advertisement (LSA) Link State Update Message Parsing...
75730	Quagga ospfd Hello Message Parsing Remote IPv4 DoS
75729	Quagga ospf6d Database Description Message Parsing Remote IPv6 DoS
75728	Quagga ospf6d Linkstate Message Parsing Remote IPv6 DoS

Nessus® Vulnerability Scanner

Date	Description
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_quagga_20120404.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_4_quagga-111013.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_quagga-111013.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1259.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-1258.nasl - Type : ACT_GATHER_INFO
2012-09-14	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1259.nasl - Type : ACT_GATHER_INFO
2012-09-14	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120912_quagga_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-09-14	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120912_quagga_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-09-13	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1258.nasl - Type : ACT_GATHER_INFO
2012-09-13	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-1259.nasl - Type : ACT_GATHER_INFO
2012-09-13	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-1258.nasl - Type : ACT_GATHER_INFO
2012-06-29	Name : The remote service may be affected by multiple vulnerabilities. File : quagga_0_99_19.nasl - Type : ACT_GATHER_INFO
2012-02-22	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201202-02.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 11 host is missing a security update. File : suse_11_quagga-110920.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 11 host is missing a security update. File : suse_11_quagga-110921.nasl - Type : ACT_GATHER_INFO
2011-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_quagga-7768.nasl - Type : ACT_GATHER_INFO
2011-11-16	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1261-1.nasl - Type : ACT_GATHER_INFO
2011-10-24	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_quagga-7767.nasl - Type : ACT_GATHER_INFO
2011-10-19	Name : The remote Fedora host is missing a security update. File : fedora_2011-13504.nasl - Type : ACT_GATHER_INFO
2011-10-19	Name : The remote Fedora host is missing a security update. File : fedora_2011-13499.nasl - Type : ACT_GATHER_INFO
2011-10-19	Name : The remote Fedora host is missing a security update. File : fedora_2011-13492.nasl - Type : ACT_GATHER_INFO
2011-10-06	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_ab9be2c8ef9111e0ad5a00215c6a37bb.nasl - Type : ACT_GATHER_INFO
2011-10-06	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2316.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 12:08:05	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	5
Oval ID(s)	2
CPE ID(s)	39
osvdb(s)	5
Openvas Exploit(s)	13
Nessus® Exploit(s)	23

	Related
7.5	CVE-2011-3327
5	CVE-2011-3326
5	CVE-2011-3325
5	CVE-2011-3324
5	CVE-2011-3323
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)