SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Quagga Vendors:   quagga.net
Quagga Routing Software Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1008190
SecurityTracker URL:  http://securitytracker.com/id/1008190
CVE Reference:   CVE-2003-0795   (Links to External Site)
Date:  Nov 15 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.96.4
Description:   A vulnerability was reported in Quagga. A remote user can cause Quagga to crash.

It is reported that if a Quagga password has been enabled, a remote user can connect to the telnet management port and send a malformed telnet command to cause the target daemon to crash.

Jonny Robertson is credited with reporting this flaw.

Impact:   A remote user can cause the routing software to crash.
Solution:   The vendor has issued a fixed version (0.96.4), available at:

http://www.quagga.net/download.php

The vendor says that as a workaround, you can restrict access to daemon's telnet interface by configuring each daemon's vty with an access-class and access-list. Or, they indicate that you can disable external vty access completely by removing the vty password (and then restarting the daemon) or by passing the '-P 0' parameters to the daemon.

Vendor URL:  www.quagga.net/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 15 2003 (Red Hat Issues Fix for Enterprise Linux) Quagga Routing Software Can Be Crashed By Remote Users
Red Hat has released a fix for Red Hat Enterprise Linux 3.



 Source Message Contents

Subject:  Quagga remote vulnerability


Summary:
--------

All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of 
service.


Scope of vulnerability:
-----------------------

All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
hostile parties.


Impact:
-------

Affected daemons can be made to crash by sending a malformed telnet
command.


Description:
------------

The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.


Workaround:
-----------

Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.

Alternatively, disable external vty access completely by removing the 
vty password (and restarting) or passing the '-P 0' parameters to the 
daemon.

Solution:
-----------

Quagga version 0.96.4 contains a fix for this bug. Alternatively, one 
can manually apply the fix to whichever sources one uses currently. 
(See the RedHat bugzilla entry referenced below for the fix).


Credits:
--------

Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for 
fixing the bug.


References:
----------

RedHat Advisory RHSA-2003:307-09, 
http://rhn.redhat.com/errata/RHSA-2003-307.html

RedHat Bugzilla entry 107140,
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140

CAN-2003-0795


Footnote:
---------

The RedHat Advisory references a second vulnerability in GNU Zebra 
and Quagga, regarding the zebra daemon accepting netlink messages 
from any user. This vulnerability will be dealt with as soon as 
possible. 

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam@dishone.st
Fortune:
Factorials were someone's attempt to make math LOOK exciting.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC