2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
0.053 Low
EPSS
Percentile
93.0%
Stack-based buffer overflow in the new_msg_lsa_change_notify function in
the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when
–enable-opaque-lsa and the -a command line option are used, allows remote
attackers to cause a denial of service (crash) via a large LSA.
Author | Note |
---|---|
jdstrand | requires --enable-opaque-lsa during the build (true for Ubuntu 10.04 LTS and higher) also requires starting ospfd with ‘-a’. ospfd is not enabled by default and the configuration in /etc/quagga/debian.conf does not include ‘-a’. Per upstream, normal protection measures (eg, packet filtering, listening on internal network, etc) would prevent this. Furthermore, it is difficult to exploit. Considering the above, downgrading to ‘low’ |