CERT-FI Advisory on Quagga

Details

Quagga is an open source routing software that can handle various routing protocols such as RIP, BGP and OSPF. Five vulnerabilities have been found in the BGP, OSPF and OSPFv3 components of Quagga. The vulnerabilities allow an attacker to cause a denial of service or potentially to execute his own code by sending a specially modified packets to an affected server. Routing messages are typically accepted from the routing peers. Exploiting these vulnerabilities may require an established routing session (BGP peering or OSPF/OSPFv3 adjacency) to the router.

The vulnerability CVE-2011-3327 is related to the extended communities handling in BGP messages. Receiving a malformed BGP update can result in a buffer overflow and disruption of IPv4 routing.

The vulnerability CVE-2011-3326 results from the handling of LSA (Link State Advertisement) states in the OSPF service. Receiving a modified Link State Update message with malicious state information can result in denial of service in IPv4 routing.

The vulnerability CVE-2011-3325 is a denial of service vulnerability related to Hello message handling by the OSPF service. As Hello messages are used to initiate adjacencies, exploiting the vulnerability may be feasible from the same broadcast domain without an established adjacency. A malformed packet may result in denial of service in IPv4 routing.

The vulnerabilities CVE-2011-3324 and CVE-2011-3323 are related to the IPv6 routing protocol (OSPFv3) implemented in ospf6d daemon. Receiving modified Database Description and Link State Update messages, respectively, can result in denial of service in IPv6 routing.

Vulnerability Coordination Information and Acknowledgements

The vulnerabilities were reported by Riku Hietamäki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project. CERT-FI would like to thank Codenomicon, the Quagga project and CERT/CC for co-operation in the remediation efforts.

Vendor Information

• Quagga before version 0.99.19

Remediation

Install either the latest version of Quagga (http://www.quagga.net/) or a fixed version of the software provided by your operating system or application vendor.

The vulnerabilities can be remediated by restricting network access to the routing daemon. Exploiting four of the vulnerabilities require established routing sessions or adjacencies.

References

• http://www.codenomicon.com/labs/cross/
• 
  
• http://vrda.jpcert.or.jp/feed/en/JVNiPedia_JVNDB-2011-002368_AD_1.html
• http://vrda.jpcert.or.jp/feed/en/JVNiPedia_JVNDB-2011-002370_AD_1.html
• http://vrda.jpcert.or.jp/feed/en/JVNiPedia_JVNDB-2011-002372_AD_1.html
• http://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-002368.html
  
• http://www.kb.cert.org/vuls/id/668534
• CVE-2011-3327, CVE-2011-3326, CVE-2011-3325, CVE-2011-3324
• CVE-2011-3323

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #539178] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at

https://www.cert.fi/en/activities/contact/pgp-keys.html

The CERT-FI vulnerability coordination policy can be viewed at

https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html.

Revision History

26 Sept 2011, 14:00 UTC: Published
26 Oct 2011, 09:02 UTC: Added links to JPCERT and US-CERT advisories

Page updated 26.10.2011

Print version