Quagga-2018-1975.txt 2.2 KB

  1. Quagga Security Note 2018-1975
  2. ==============================
  3. https://www.quagga.net/security/Quagga-2018-1975.txt
  4. Affects:
  5. --------
  6. - Quagga version 0.99.9, and all later versions
  7. - All versions, if the "override-capability" neighbour option is set (not
  8. the default).
  9. Summary
  10. -------
  11. The Quagga BGP daemon, bgpd, can enter an infinite loop if sent an invalid
  12. OPEN message by a configured peer.
  13. Impact
  14. ------
  15. This problem is triggerable by packets from a configured peer.
  16. When triggered, the bgpd daemon enters an infinite loop and cease to respond
  17. to any other events. BGP sessions will drop and not be reestablished. The
  18. CLI interface will be unresponsive. The bgpd daemon will stay in this state
  19. until it is restarted.
  20. Solution
  21. --------
  22. Upgrade to Quagga version 1.2.3 or later, or apply the fix from commit:
  23. "bgpd/security: fix infinite loop on certain invalid OPEN messages"
  24. Until then, the problem can be mitigated by enabling watchquagga and
  25. ensuring that it monitors bgpd and restarts it if it ceases to be
  26. responsive.
  27. Disabling capability negotiation will also prevent the problem from
  28. occurring, but may cause problems. It is not recommended to disable
  29. capability negotiation in normal operation.
  30. Description
  31. ------------
  32. The Quagga BGP daemon, bgpd, had a bug in its parsing of "Capabilities" in
  33. BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function.
  34. The parser can enter an infinite loop on invalid capabilities if a
  35. Multi-Protocol capability does not have a recognised AFI/SAFI.
  36. The issue was introduced in commit 6d58272b4c, by copying an incorrect
  37. pattern of code from an existing check on a configuration flag (which also
  38. has the issue) and applying it to protocol data.
  39. This issue can be triggered by a configured peer, accidentally or
  40. deliberately. It could also be configured by others, if transport security
  41. and/or network topology allowed an attacker to spoof a full TCP connection.
  42. The consequence of this bug is that bgpd enters an infinite loop. The bgpd
  43. daemon will not be able to do any other work as a consequence, including
  44. servicing BGP and CLI sessions. BGP sessions will time out and drop and not
  45. be re-established. This state will persist until the bgpd is restarted.