Home Explore Help
Register Sign In
Quagga
/
quagga
4
0
Fork 1
Files Issues Pull Requests 0 Wiki
Branch: master
Branches Tags
quagga
/
doc
/
security
/
Quagga-2018-0543.txt

Quagga-2018-0543.txt 2.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. Quagga Security Note 2018-0543
    2. 

  2. ==============================
    3. 

  3. 

  4. https://www.quagga.net/security/Quagga-2018-0543.txt
    5. 

  5. 

  6. 

  7. Affects:
    8. 

  8. --------
    9. 

  9. 

  10. Quagga versions: 
    11. 

  11. - 1.1.0
    12. 

  12. - 1.1.1
    13. 

  13. - 1.2.0
    14. 

  14. - 1.2.1
    15. 

  15. - 1.2.2
    16. 

  16. 

  17. Summary
    18. 

  18. -------
    19. 

  19. 

  20. The Quagga BGP daemon, bgpd, does not properly bounds check the data
    21. 

  21. sent with a NOTIFY to a peer, if an attribute length is invalid. 
    22. 

  22. Arbitrary data from the bgpd process may be sent over the network to a
    23. 

  23. peer and/or it may crash.
    24. 

  24. 

  25. 

  26. Impact
    27. 

  27. ------
    28. 

  28. 

  29. Sensitive data from the bgpd process may be sent over the network to a
    30. 

  30. configured peer.  The bgpd process may or may not crash.
    31. 

  31. 

  32. 

  33. Solution
    34. 

  34. --------
    35. 

  35. 

  36. Upgrade Quagga to a version containing the fix.  E.g., Quagga version
    37. 

  37. 1.2.3.
    38. 

  38. 

  39. Description
    40. 

  40. ------------
    41. 

  41. 

  42. When bgpd receives an UPDATE with invalid attribute length, the invalid
    43. 

  43. length is correctly checked, and detected as such, and a NOTIFY
    44. 

  44. prepared to terminate the session.  According to the BGP protocol, the
    45. 

  45. NOTIFY message may include the incorrect received data with the NOTIFY,
    46. 

  46. for debug purposes.  Commit c69698704806a9ac5 modified the bgpd code to
    47. 

  47. do that just, and also send the malformed attr with the NOTIFY. 
    48. 

  48. However, the invalid attribute length was used as the length of the
    49. 

  49. data to send back.
    50. 

  50. 

  51. The result is a read past the end of data, which is then written to the
    52. 

  52. NOTIFY message and sent to the peer.
    53. 

  53. 

  54. A configured BGP peer can use this bug to read up to 64 KiB of memory from
    55. 

  55. the bgpd process, or crash the process if the invalid read is caught by
    56. 

  56. some means (unmapped page and SEGV, or other mechanism) resulting in a
    57. 

  57. DoS.
    58. 

  58. 

  59. This bug _ought_ /not/ be exploitable by anything other than the connected
    60. 

  60. BGP peer.  For no BGP peer should send on an UPDATE with this attribute. 
    61. 

  61. Quagga will not, as Quagga always validates the attr header length,
    62. 

  62. regardless of type.
    63. 

  63. 

  64. However, it is possible that there are BGP implementations that do not
    65. 

  65. check lengths on some attributes (e.g.  optional/transitive ones of a type
    66. 

  66. they do not recognise), and might pass such malformed attrs on.  If such
    67. 

  67. implementations exists and are common, then this bug might be triggerable
    68. 

  68. by BGP speakers further hops away.  Those peers will not receive the
    69. 

  69. NOTIFY (unless they sit on a shared medium), however they might then be
    70. 

  70. able to trigger a DoS.
    71. 

  71. 

  72. The code fix is to use the valid bound to calculate the length.
    73.