Executive Summary

Summary
Title Quagga BGP OPEN denial of service vulnerability
Informations
Name VU#962587 First vendor Publication 2012-06-04
Vendor VU-CERT Last vendor Modification 2012-06-11
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:N/I:N/A:P)
Cvss Base Score 2.9 Attack Range Adjacent network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 5.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#962587

Quagga BGP OPEN denial of service vulnerability

Original Release date: 04 Jun 2012 | Last revised: 11 Jun 2012

Overview

Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition.

Description

CVE-2012-1820: Quagga version 0.99.20.1 and before contains a bug in BGP OPEN message handling.

Program Impacted: bgpd: fix DoS in bgp_capability_orf()

Description:
If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.

An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call.

The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV.

For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current "Number of ORFs" field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV.

Impact

A denial-of-service condition can be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network.

Solution

We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected25 Apr 201226 Apr 2012
InfobloxAffected25 Apr 201226 Apr 2012
Openwall GNU/*/LinuxNot Affected25 Apr 201226 Apr 2012
Conectiva Inc.Unknown25 Apr 201225 Apr 2012
Cray Inc.Unknown25 Apr 201225 Apr 2012
Engarde Secure LinuxUnknown25 Apr 201225 Apr 2012
Fedora ProjectUnknown25 Apr 201225 Apr 2012
Gentoo LinuxUnknown25 Apr 201225 Apr 2012
GoogleUnknown25 Apr 201225 Apr 2012
Hewlett-Packard CompanyUnknown25 Apr 201225 Apr 2012
IBM Corporation (zseries)Unknown25 Apr 201225 Apr 2012
IBM eServerUnknown25 Apr 201225 Apr 2012
Mandriva S. A.Unknown25 Apr 201225 Apr 2012
MontaVista Software, Inc.Unknown25 Apr 201225 Apr 2012
Novell, Inc.Unknown25 Apr 201225 Apr 2012
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base5.5AV:A/AC:L/Au:S/C:N/I:N/A:C
Temporal4.5E:F/RL:OF/RC:C
Environmental5.0CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://www.nongnu.org/quagga/

Credit

Thanks to Denis Ovsienko for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs:CVE-2012-1820
  • Date Public:03 Jun 2012
  • Date First Published:04 Jun 2012
  • Date Last Updated:11 Jun 2012
  • Document Revision:12

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/962587

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18013
 
Oval ID: oval:org.mitre.oval:def:18013
Title: USN-1605-1 -- quagga vulnerability
Description: Quagga could be made to crash if it received specially crafted network traffic.
Family: unix Class: patch
Reference(s): USN-1605-1
CVE-2012-1820
 Version: 7
Platform(s): Ubuntu 12.04
Ubuntu 11.10
Ubuntu 11.04
Ubuntu 10.04
 Product(s): quagga
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18294
 
Oval ID: oval:org.mitre.oval:def:18294
Title: DSA-2497-1 quagga - denial of service
Description: It was discovered that Quagga, a routing daemon, contains a vulnerability in processing the ORF capability in BGP OPEN messages. A malformed OPEN message from a previously configured BGP peer could cause bgpd to crash, causing a denial of service.
Family: unix Class: patch
Reference(s): DSA-2497-1
CVE-2012-1820
 Version: 7
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
 Product(s): quagga
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21278
 
Oval ID: oval:org.mitre.oval:def:21278
Title: RHSA-2012:1259: quagga security update (Moderate)
Description: The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.
Family: unix Class: patch
Reference(s): RHSA-2012:1259-01
CESA-2012:1259
CVE-2011-3323
CVE-2011-3324
CVE-2011-3325
CVE-2011-3326
CVE-2011-3327
CVE-2012-0249
CVE-2012-0250
CVE-2012-0255
CVE-2012-1820
 Version: 120
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
 Product(s): quagga
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23882
 
Oval ID: oval:org.mitre.oval:def:23882
Title: ELSA-2012:1259: quagga security update (Moderate)
Description: The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.
Family: unix Class: patch
Reference(s): ELSA-2012:1259-01
CVE-2011-3323
CVE-2011-3324
CVE-2011-3325
CVE-2011-3326
CVE-2011-3327
CVE-2012-0249
CVE-2012-0250
CVE-2012-0255
CVE-2012-1820
 Version: 41
Platform(s): Oracle Linux 6
 Product(s): quagga
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27848
 
Oval ID: oval:org.mitre.oval:def:27848
Title: DEPRECATED: ELSA-2012-1259 -- quagga security update (moderate)
Description: [0.99.15-7.2] - improve fix for CVE-2011-3325 [0.99.15-7.1] - fix CVE-2011-3323 - fix CVE-2011-3324 - fix CVE-2011-3325 - fix CVE-2011-3326 - fix CVE-2011-3327 - fix CVE-2012-0255 - fix CVE-2012-0249 and CVE-2012-0250 - fix CVE-2012-1820 [0.99.15-7] - Resolves: #684751 - CVE-2010-1674 CVE-2010-1675 quagga various flaws [0.99.15-6] - Resolves: #644832 - CVE-2010-2948 CVE-2010-2949 quagga various flaws
Family: unix Class: patch
Reference(s): ELSA-2012-1259
CVE-2011-3323
CVE-2011-3324
CVE-2011-3325
CVE-2011-3326
CVE-2011-3327
CVE-2012-0249
CVE-2012-0250
CVE-2012-0255
CVE-2012-1820
 Version: 4
Platform(s): Oracle Linux 6
 Product(s): quagga
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 41

OpenVAS Exploits

Date Description
2012-10-12 Name : Ubuntu Update for quagga USN-1605-1
File : nvt/gb_ubuntu_USN_1605_1.nasl
2012-09-17 Name : CentOS Update for quagga CESA-2012:1259 centos6
File : nvt/gb_CESA-2012_1259_quagga_centos6.nasl
2012-09-17 Name : RedHat Update for quagga RHSA-2012:1259-01
File : nvt/gb_RHSA-2012_1259-01_quagga.nasl
2012-08-30 Name : Fedora Update for quagga FEDORA-2012-9103
File : nvt/gb_fedora_2012_9103_quagga_fc17.nasl
2012-08-10 Name : Debian Security Advisory DSA 2497-1 (quagga)
File : nvt/deb_2497_1.nasl
2012-08-10 Name : FreeBSD Ports: quagga
File : nvt/freebsd_quagga4.nasl
2012-06-22 Name : Fedora Update for quagga FEDORA-2012-9116
File : nvt/gb_fedora_2012_9116_quagga_fc16.nasl
2012-06-22 Name : Fedora Update for quagga FEDORA-2012-9117
File : nvt/gb_fedora_2012_9117_quagga_fc15.nasl

Nessus® Vulnerability Scanner

Date Description
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_quagga_20120821.nasl - Type : ACT_GATHER_INFO
2013-10-11 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201310-08.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-90.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1259.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-122.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_quagga-120430.nasl - Type : ACT_GATHER_INFO
2012-10-12 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1605-1.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120912_quagga_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-09-14 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1259.nasl - Type : ACT_GATHER_INFO
2012-09-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1259.nasl - Type : ACT_GATHER_INFO
2012-06-29 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2497.nasl - Type : ACT_GATHER_INFO
2012-06-29 Name : The remote service may be affected by a denial of service vulnerability.
File : quagga_0_99_21.nasl - Type : ACT_GATHER_INFO
2012-06-20 Name : The remote Fedora host is missing a security update.
File : fedora_2012-9117.nasl - Type : ACT_GATHER_INFO
2012-06-20 Name : The remote Fedora host is missing a security update.
File : fedora_2012-9116.nasl - Type : ACT_GATHER_INFO
2012-06-20 Name : The remote Fedora host is missing a security update.
File : fedora_2012-9103.nasl - Type : ACT_GATHER_INFO
2012-06-07 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_quagga-8108.nasl - Type : ACT_GATHER_INFO
2012-06-06 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_1e14d46faf1f11e1b24200215af774f0.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:08:19
  • Multiple Updates