Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Quagga Vendors:
Quagga Routing Software Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1008190
SecurityTracker URL:
CVE Reference:   CVE-2003-0795   (Links to External Site)
Date:  Nov 15 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.96.4
Description:   A vulnerability was reported in Quagga. A remote user can cause Quagga to crash.

It is reported that if a Quagga password has been enabled, a remote user can connect to the telnet management port and send a malformed telnet command to cause the target daemon to crash.

Jonny Robertson is credited with reporting this flaw.

Impact:   A remote user can cause the routing software to crash.
Solution:   The vendor has issued a fixed version (0.96.4), available at:

The vendor says that as a workaround, you can restrict access to daemon's telnet interface by configuring each daemon's vty with an access-class and access-list. Or, they indicate that you can disable external vty access completely by removing the vty password (and then restarting the daemon) or by passing the '-P 0' parameters to the daemon.

Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 15 2003 (Red Hat Issues Fix for Enterprise Linux) Quagga Routing Software Can Be Crashed By Remote Users
Red Hat has released a fix for Red Hat Enterprise Linux 3.

 Source Message Contents

Subject:  Quagga remote vulnerability


All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of 

Scope of vulnerability:

All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
hostile parties.


Affected daemons can be made to crash by sending a malformed telnet


The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.


Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.

Alternatively, disable external vty access completely by removing the 
vty password (and restarting) or passing the '-P 0' parameters to the 


Quagga version 0.96.4 contains a fix for this bug. Alternatively, one 
can manually apply the fix to whichever sources one uses currently. 
(See the RedHat bugzilla entry referenced below for the fix).


Thanks to Jonny Robertson <jonny AT> for finding
and reporting this bug and Jay Fenlason <fenlason AT> for 
fixing the bug.


RedHat Advisory RHSA-2003:307-09,

RedHat Bugzilla entry 107140,



The RedHat Advisory references a second vulnerability in GNU Zebra 
and Quagga, regarding the zebra daemon accepting netlink messages 
from any user. This vulnerability will be dealt with as soon as 

Paul Jakma	Key ID: 64A2FF6A
	warning: do not ever send email to
Factorials were someone's attempt to make math LOOK exciting.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC