lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 14 Nov 2003 13:16:37 +0000 (GMT)
From: Paul Jakma <paul-p3WKshh8b8w@...lic.gmane.org>
To: Quagga Users <quagga-users-UOy77sIEA+cAd7ICUelF/Q@...lic.gmane.org>
Cc: Christian Hammers <ch-8fiUuRrzOP0dnm+yROfE0A@...lic.gmane.org>, bugtraq-o7tR/nIX9Vi1EmJ4MpGYnQC/G2K4zDHf@...lic.gmane.org
Subject: [quagga-users 906] Quagga remote vulnerability


Summary:
--------

All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of 
service.


Scope of vulnerability:
-----------------------

All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
hostile parties.


Impact:
-------

Affected daemons can be made to crash by sending a malformed telnet
command.


Description:
------------

The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.


Workaround:
-----------

Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.

Alternatively, disable external vty access completely by removing the 
vty password (and restarting) or passing the '-P 0' parameters to the 
daemon.

Solution:
-----------

Quagga version 0.96.4 contains a fix for this bug. Alternatively, one 
can manually apply the fix to whichever sources one uses currently. 
(See the RedHat bugzilla entry referenced below for the fix).


Credits:
--------

Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for 
fixing the bug.


References:
----------

RedHat Advisory RHSA-2003:307-09, 
http://rhn.redhat.com/errata/RHSA-2003-307.html

RedHat Bugzilla entry 107140,
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140

CAN-2003-0795


Footnote:
---------

The RedHat Advisory references a second vulnerability in GNU Zebra 
and Quagga, regarding the zebra daemon accepting netlink messages 
from any user. This vulnerability will be dealt with as soon as 
possible. 

regards,
-- 
Paul Jakma	paul-p3WKshh8b8w@...lic.gmane.org	paul@...ma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam-YO+z8i/CF6JQ+HMy2YlzRA@...lic.gmane.org
Fortune:
Factorials were someone's attempt to make math LOOK exciting.

Powered by blists - more mailing lists