2.9 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.6%
Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition.
CVE-2012-1820: Quagga version 0.99.20.1 and before contains a bug in BGP OPEN message handling.
_Program Impacted: bgpd: fix DoS in bgp_capability_orf()
Description:_
If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.
_An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call.
The helper function, bgp_capability_orf_entry(), uses “Number of ORFs” field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV._
_
For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current “Number of ORFs” field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV._
A denial-of-service condition can be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network.
We are currently unaware of a practical solution to this problem.
962587
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 25, 2012 Updated: April 26, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 26, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 26, 2012
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2012 Updated: April 25, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 11, 2012 Updated: May 11, 2012
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 24 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.5 | AV:A/AC:L/Au:S/C:N/I:N/A:C |
Temporal | 4.5 | E:F/RL:OF/RC:C |
Environmental | 5 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND |
<http://www.nongnu.org/quagga/>
Thanks to Denis Ovsienko for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2012-1820 |
---|---|
Date Public: | 2012-06-03 Date First Published: |