CERTVU:962587Quagga BGP OPEN denial of service vulnerability
2.9 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.6%
Overview
Quagga, a routing software suite, contains a BGP OPEN vulnerability that result in a denial-of-service condition.
Description
CVE-2012-1820: Quagga version 0.99.20.1 and before contains a bug in BGP OPEN message handling.
_Program Impacted: bgpd: fix DoS in bgp_capability_orf()
Description:_
If a pre-configured BGP peer sends a specially-crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.
_An ORF (code 3) capability TLV is defined to contain exactly one AFI/SAFI block. Function bgp_capability_orf(), which parses ORF capability TLV, uses do-while cycle to call its helper function bgp_capability_orf_entry(), which actually processes the AFI/SAFI data block. The call is made at least once and repeated as long as the input buffer has enough data for the next call.
The helper function, bgp_capability_orf_entry(), uses “Number of ORFs” field of the provided AFI/SAFI block to verify, if it fits the input buffer. However, the check is made based on the total length of the ORF TLV regardless of the data already consumed by the previous helper function call(s). This way, the check condition is only valid for the first AFI/SAFI block inside an ORF capability TLV._
_
For the subsequent calls of the helper function, if any are made, the check condition may erroneously tell, that the current “Number of ORFs” field fits the buffer boundary, where in fact it does not. This makes it possible to trigger an assertion by feeding an OPEN message with a specially-crafted malformed ORF capability TLV._
Impact
A denial-of-service condition can be caused by an attacker controlling one of the pre-configured BGP peers. In most cases this means, that the attack must be originated from an adjacent network.
Solution
We are currently unaware of a practical solution to this problem.
Vendor Information
962587
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Debian GNU/Linux Affected
Notified: April 25, 2012 Updated: April 26, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Infoblox Affected
Notified: April 25, 2012 Updated: April 26, 2012
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Openwall GNU/*/Linux Not Affected
Notified: April 25, 2012 Updated: April 26, 2012
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Conectiva Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Cray Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Engarde Secure Linux Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Fedora Project Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Gentoo Linux Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Google Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Hewlett-Packard Company Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM Corporation (zseries) Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
IBM eServer Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Mandriva S. A. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
MontaVista Software, Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Novell, Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Red Hat, Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SUSE Linux Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
SafeNet Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Slackware Linux Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sun Microsystems, Inc. Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
The SCO Group Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Turbolinux Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Ubuntu Unknown
Notified: April 25, 2012 Updated: April 25, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vyatta Unknown
Notified: May 11, 2012 Updated: May 11, 2012
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
View all 24 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.5 | AV:A/AC:L/Au:S/C:N/I:N/A:C |
| Temporal | 4.5 | E:F/RL:OF/RC:C |
| Environmental | 5 | CDP:L/TD:H/CR:ND/IR:ND/AR:ND |
References
<http://www.nongnu.org/quagga/>
Acknowledgements
Thanks to Denis Ovsienko for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
| CVE IDs: | CVE-2012-1820 |
|---|---|
| Date Public: | 2012-06-03 Date First Published: |
References
Related
2.9 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
84.6%