Quagga remote vulnerability

Summary:

All versions of Quagga (and also GNU Zebra, from which Quagga was
forked) are vulnerable to a remotely triggerable denial of
service.

Scope of vulnerability:

All versions of GNU Zebra and all versions of Quagga /prior/ to
0.96.4, where a daemon's vty, ie the telnet CLI, is accessible to
hostile parties.

Impact:

Affected daemons can be made to crash by sending a malformed telnet
command.

Description:

The vty layer, when processing the telnet sub-negotiation ends
marker, SE, does not check whether there is sub-negotiation in
progress, and hence will attempt to dereference a (typically) NULL
pointer causing the daemon to crash.

Workaround:

Restrict access to daemon's telnet CLI, by either configuring each
daemon's vty with an appropriate access-class and access-list, or by
some external firewalling application.

Alternatively, disable external vty access completely by removing the
vty password (and restarting) or passing the '-P 0' parameters to the
daemon.

Solution:

Quagga version 0.96.4 contains a fix for this bug. Alternatively, one
can manually apply the fix to whichever sources one uses currently.
(See the RedHat bugzilla entry referenced below for the fix).

Credits:

Thanks to Jonny Robertson <jonny AT prophecy.net.nz> for finding
and reporting this bug and Jay Fenlason <fenlason AT redhat.com> for
fixing the bug.

References:

RedHat Advisory RHSA-2003:307-09,
http://rhn.redhat.com/errata/RHSA-2003-307.html

RedHat Bugzilla entry 107140,
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140

CAN-2003-0795

Footnote:

The RedHat Advisory references a second vulnerability in GNU Zebra
and Quagga, regarding the zebra daemon accepting netlink messages
from any user. This vulnerability will be dealt with as soon as
possible.

regards,

Paul Jakma [email protected] [email protected] Key ID: 64A2FF6A
warning: do not ever send email to [email protected]
Fortune:
Factorials were someone's attempt to make math LOOK exciting.