Quagga-2018-1114.txt 2.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. Quagga Security Note 2018-1114
  2. ==============================
  3. https://www.quagga.net/security/Quagga-2018-1114.txt
  4. Affects:
  5. --------
  6. - Likely to affect all versions of Quagga
  7. Summary
  8. -------
  9. The Quagga BGP daemon, bgpd, can double-free memory when processing
  10. certain forms of UPDATE message, containing cluster-list and/or unknown
  11. attributes.
  12. Impact
  13. ------
  14. Potentially severe.
  15. This issue can be triggered by an optional/transitive UPDATE attribute, that
  16. all conforming eBGP speakers should pass along. This means this may
  17. triggerable in many affected Quagga bgpd processes across a wide area of a
  18. network, because of just one UPDATE message.
  19. This issue could result in a crash of bgpd, or even allow a remote
  20. attacker to gain control of an affected bgpd process.
  21. Solution
  22. --------
  23. Upgrade to Quagga 1.2.3, or any other version with the appropriate
  24. patch applied, entitled:
  25. "bgpd/security: Fix double free of unknown attribute"
  26. Description
  27. ------------
  28. The issue is a double-free in bgp_attr_flush called from
  29. bgp_packet.c:bgp_update_receive. This can be triggered by a variety of
  30. BGP UPDATE messages, containing either a "CLUSTER_LIST" attribute (used
  31. in iBGP route-reflection) or an unknown attribute.
  32. An unrecognised optional/transitive UPDATE attribute should be passed along
  33. by conforming BGP speakers, if the attribute is otherwise well-formed.
  34. Therefore this issue potentially can be triggered across a number of Quagga
  35. bgpd speakers, over a wide area of a network, by one BGP speaker sending an
  36. UPDATE.
  37. Once this issue has been triggered the behaviour of bgpd is undefined. The
  38. internal state of the memory allocator may become corrupted, unless it has
  39. been designed to be robust to the double-free. The memory allocator may
  40. catch the issue and crash the bgpd process in a controlled manner, otherwise
  41. bgpd process could continue to run with invalid memory allocation state.
  42. It is possible an attacker could exploit the corrupted allocator state to
  43. gain control of the bgpd process. E.g., if the allocator stores the
  44. incorrectly double-freed memory twice on its internal free-list, then the
  45. allocator could return the same memory twice in further calls of malloc, and
  46. the attacker might be able to control the operation of one part of bgpd with
  47. data they supply that is stored in another.