Debian DSA-2197-1 : quagga - denial of service

2011-03-2200:00:00

www.tenable.com

It has been discovered that the Quagga routing daemon contains two denial-of-service vulnerabilities in its BGP implementation :

CVE-2010-1674 A crafted Extended Communities attribute triggers a NULL pointer dereference which causes the BGP daemon to crash. The crafted attributes are not propagated by the Internet core, so only explicitly configured direct peers are able to exploit this vulnerability in typical configurations.
CVE-2010-1675 The BGP daemon resets BGP sessions when it encounters malformed AS_PATHLIMIT attributes, introducing a distributed BGP session reset vulnerability which disrupts packet forwarding. Such malformed attributes are propagated by the Internet core, and exploitation of this vulnerability is not restricted to directly configured BGP peers.

This security update removes AS_PATHLIMIT processing from the BGP implementation, preserving the configuration statements for backwards compatibility. (Standardization of this BGP extension was abandoned long ago.)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2197. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(52741);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");

  script_cve_id("CVE-2010-1674", "CVE-2010-1675");
  script_xref(name:"DSA", value:"2197");

  script_name(english:"Debian DSA-2197-1 : quagga - denial of service");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It has been discovered that the Quagga routing daemon contains two
denial-of-service vulnerabilities in its BGP implementation :

  - CVE-2010-1674
    A crafted Extended Communities attribute triggers a NULL
    pointer dereference which causes the BGP daemon to
    crash. The crafted attributes are not propagated by the
    Internet core, so only explicitly configured direct
    peers are able to exploit this vulnerability in typical
    configurations.

  - CVE-2010-1675
    The BGP daemon resets BGP sessions when it encounters
    malformed AS_PATHLIMIT attributes, introducing a
    distributed BGP session reset vulnerability which
    disrupts packet forwarding. Such malformed attributes
    are propagated by the Internet core, and exploitation of
    this vulnerability is not restricted to directly
    configured BGP peers.

This security update removes AS_PATHLIMIT processing from the BGP
implementation, preserving the configuration statements for backwards
compatibility. (Standardization of this BGP extension was abandoned
long ago.)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2010-1674"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2010-1675"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze/quagga"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2011/dsa-2197"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the quagga packages.

For the oldstable distribution (lenny), these problems have been fixed
in version 0.99.10-1lenny5.

For the stable distribution (squeeze), these problems have been fixed
in version 0.99.17-2+squeeze2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:quagga");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/22");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2011-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"5.0", prefix:"quagga", reference:"0.99.10-1lenny5")) flag++;
if (deb_check(release:"6.0", prefix:"quagga", reference:"0.99.17-2+squeeze2")) flag++;
if (deb_check(release:"6.0", prefix:"quagga-dbg", reference:"0.99.17-2+squeeze2")) flag++;
if (deb_check(release:"6.0", prefix:"quagga-doc", reference:"0.99.17-2+squeeze2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

VendorProductVersionCPE
debiandebian_linuxquaggap-cpe:/a:debian:debian_linux:quagga
debiandebian_linux5.0cpe:/o:debian:debian_linux:5.0
debiandebian_linux6.0cpe:/o:debian:debian_linux:6.0

Vendor	Product	Version	CPE
debian	debian_linux	quagga	p-cpe:/a:debian:debian_linux:quagga
debian	debian_linux	5.0	cpe:/o:debian:debian_linux:5.0
debian	debian_linux	6.0	cpe:/o:debian:debian_linux:6.0