Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition.
CVE-2012-1820: Quagga version 0.99.20.1 and before contains a bug in BGP OPEN message handling.
_Program Impacted: bgpd: fix DoS in bgp_capability_orf()
_If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.
_An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call.
The helper function, bgp_capability_orf_entry(), uses "Number of ORFs" field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV.
For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current "Number of ORFs" field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV._
A denial-of-service condition can be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network.
We are currently unaware of a practical solution to this problem.
Vendor| Status| Date Notified| Date Updated
Debian GNU/Linux| | 25 Apr 2012| 26 Apr 2012
Infoblox| | 25 Apr 2012| 26 Apr 2012
Openwall GNU/*/Linux| | 25 Apr 2012| 26 Apr 2012
Conectiva Inc.| | 25 Apr 2012| 25 Apr 2012
Cray Inc.| | 25 Apr 2012| 25 Apr 2012
Engarde Secure Linux| | 25 Apr 2012| 25 Apr 2012
Fedora Project| | 25 Apr 2012| 25 Apr 2012
Gentoo Linux| | 25 Apr 2012| 25 Apr 2012
Google| | 25 Apr 2012| 25 Apr 2012
Hewlett-Packard Company| | 25 Apr 2012| 25 Apr 2012
IBM Corporation (zseries)| | 25 Apr 2012| 25 Apr 2012
IBM eServer| | 25 Apr 2012| 25 Apr 2012
Mandriva S. A.| | 25 Apr 2012| 25 Apr 2012
MontaVista Software, Inc.| | 25 Apr 2012| 25 Apr 2012
Novell, Inc.| | 25 Apr 2012| 25 Apr 2012
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | 5.5 | AV:A/AC:L/Au:S/C:N/I:N/A:C
Temporal | 4.5 | E:F/RL:OF/RC:C
Environmental | 5.0 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND
Thanks to Denis Ovsienko for reporting this vulnerability.
This document was written by Michael Orlando.