Home Explore Help
Register Sign In
Quagga
/
quagga
Watch 4
Star 0
Fork 1
Files Issues Pull Requests 0 Wiki
Branch: master
Branches Tags
quagga
/
doc
/
security
/
Quagga-2018-1114.txt

Quagga-2018-1114.txt 2.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566 
  1. Quagga Security Note 2018-1114
    2. 

  2. ==============================
    3. 

  3. 

  4. https://www.quagga.net/security/Quagga-2018-1114.txt
    5. 

  5. 

  6. 

  7. Affects:
    8. 

  8. --------
    9. 

  9. 

  10. - Likely to affect all versions of Quagga
    11. 

  11. 

  12. Summary
    13. 

  13. -------
    14. 

  14. 

  15. The Quagga BGP daemon, bgpd, can double-free memory when processing
    16. 

  16. certain forms of UPDATE message, containing cluster-list and/or unknown
    17. 

  17. attributes.
    18. 

  18. 

  19. Impact
    20. 

  20. ------
    21. 

  21. 

  22. Potentially severe.
    23. 

  23. 

  24. This issue can be triggered by an optional/transitive UPDATE attribute, that
    25. 

  25. all conforming eBGP speakers should pass along.  This means this may
    26. 

  26. triggerable in many affected Quagga bgpd processes across a wide area of a
    27. 

  27. network, because of just one UPDATE message.
    28. 

  28. 

  29. This issue could result in a crash of bgpd, or even allow a remote
    30. 

  30. attacker to gain control of an affected bgpd process.
    31. 

  31. 

  32. Solution
    33. 

  33. --------
    34. 

  34. 

  35. Upgrade to Quagga 1.2.3, or any other version with the appropriate
    36. 

  36. patch applied, entitled:
    37. 

  37. 

  38.   "bgpd/security: Fix double free of unknown attribute"
    39. 

  39. 

  40. Description
    41. 

  41. ------------
    42. 

  42. 

  43. The issue is a double-free in bgp_attr_flush called from
    44. 

  44. bgp_packet.c:bgp_update_receive. This can be triggered by a variety of
    45. 

  45. BGP UPDATE messages, containing either a "CLUSTER_LIST" attribute (used
    46. 

  46. in iBGP route-reflection) or an unknown attribute.
    47. 

  47. 

  48. An unrecognised optional/transitive UPDATE attribute should be passed along
    49. 

  49. by conforming BGP speakers, if the attribute is otherwise well-formed. 
    50. 

  50. Therefore this issue potentially can be triggered across a number of Quagga
    51. 

  51. bgpd speakers, over a wide area of a network, by one BGP speaker sending an
    52. 

  52. UPDATE.
    53. 

  53. 

  54. Once this issue has been triggered the behaviour of bgpd is undefined.  The
    55. 

  55. internal state of the memory allocator may become corrupted, unless it has
    56. 

  56. been designed to be robust to the double-free.  The memory allocator may
    57. 

  57. catch the issue and crash the bgpd process in a controlled manner, otherwise
    58. 

  58. bgpd process could continue to run with invalid memory allocation state.
    59. 

  59. 

  60. It is possible an attacker could exploit the corrupted allocator state to
    61. 

  61. gain control of the bgpd process.  E.g., if the allocator stores the
    62. 

  62. incorrectly double-freed memory twice on its internal free-list, then the
    63. 

  63. allocator could return the same memory twice in further calls of malloc, and
    64. 

  64. the attacker might be able to control the operation of one part of bgpd with
    65. 

  65. data they supply that is stored in another.
    66. 

  66.