Quagga-2018-0543.txt 2.3 KB

  1. Quagga Security Note 2018-0543
  2. ==============================
  3. https://www.quagga.net/security/Quagga-2018-0543.txt
  4. Affects:
  5. --------
  6. Quagga versions:
  7. - 1.1.0
  8. - 1.1.1
  9. - 1.2.0
  10. - 1.2.1
  11. - 1.2.2
  12. Summary
  13. -------
  14. The Quagga BGP daemon, bgpd, does not properly bounds check the data
  15. sent with a NOTIFY to a peer, if an attribute length is invalid.
  16. Arbitrary data from the bgpd process may be sent over the network to a
  17. peer and/or it may crash.
  18. Impact
  19. ------
  20. Sensitive data from the bgpd process may be sent over the network to a
  21. configured peer. The bgpd process may or may not crash.
  22. Solution
  23. --------
  24. Upgrade Quagga to a version containing the fix. E.g., Quagga version
  25. 1.2.3.
  26. Description
  27. ------------
  28. When bgpd receives an UPDATE with invalid attribute length, the invalid
  29. length is correctly checked, and detected as such, and a NOTIFY
  30. prepared to terminate the session. According to the BGP protocol, the
  31. NOTIFY message may include the incorrect received data with the NOTIFY,
  32. for debug purposes. Commit c69698704806a9ac5 modified the bgpd code to
  33. do that just, and also send the malformed attr with the NOTIFY.
  34. However, the invalid attribute length was used as the length of the
  35. data to send back.
  36. The result is a read past the end of data, which is then written to the
  37. NOTIFY message and sent to the peer.
  38. A configured BGP peer can use this bug to read up to 64 KiB of memory from
  39. the bgpd process, or crash the process if the invalid read is caught by
  40. some means (unmapped page and SEGV, or other mechanism) resulting in a
  41. DoS.
  42. This bug _ought_ /not/ be exploitable by anything other than the connected
  43. BGP peer. For no BGP peer should send on an UPDATE with this attribute.
  44. Quagga will not, as Quagga always validates the attr header length,
  45. regardless of type.
  46. However, it is possible that there are BGP implementations that do not
  47. check lengths on some attributes (e.g. optional/transitive ones of a type
  48. they do not recognise), and might pass such malformed attrs on. If such
  49. implementations exists and are common, then this bug might be triggerable
  50. by BGP speakers further hops away. Those peers will not receive the
  51. NOTIFY (unless they sit on a shared medium), however they might then be
  52. able to trigger a DoS.
  53. The code fix is to use the valid bound to calculate the length.