Stack-based buffer overflow in the new_msg_lsa_change_notify function in the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when --enable-opaque-lsa and the -a command line option are used, allows remote attackers to cause a denial of service (crash) via a large LSA.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - quagga: VPNv4 NLRI parser memcpys to stack on unchecked length (CVE-2016-2342)

  - quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to     crash or potentially execute arbitrary code (CVE-2018-5379)

  - quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon performs routes removal     (CVE-2012-5521)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote NewStart CGSL host, running version MAIN 4.05, has quagga packages installed that are affected by multiple vulnerabilities:

  - A denial of service flaw affecting various daemons in     Quagga was found. A remote attacker could use this flaw     to cause the various Quagga daemons, which expose their     telnet interface, to crash. (CVE-2017-5495)

  - A stack-based buffer overflow flaw was found in the way     Quagga handled IPv6 router advertisement messages. A     remote attacker could use this flaw to crash the zebra     daemon resulting in denial of service. (CVE-2016-1245)

  - A denial of service flaw was found in the Quagga BGP     routing daemon (bgpd). Under certain circumstances, a     remote attacker could send a crafted packet to crash the     bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

  - A stack-based buffer overflow flaw was found in the way     the Quagga BGP routing daemon (bgpd) handled Labeled-VPN     SAFI routes data. A remote attacker could use this flaw     to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-2342)

  - A stack-based buffer overflow flaw was found in the way     the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this     flaw to crash the ospfd daemon resulting in denial of     service. (CVE-2013-2236)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - A stack-based buffer overflow flaw was found in the way     Quagga handled IPv6 router advertisement messages. A     remote attacker could use this flaw to crash the zebra     daemon resulting in denial of service. (CVE-2016-1245)

  - A stack-based buffer overflow flaw was found in the way     the Quagga BGP routing daemon (bgpd) handled Labeled-VPN     SAFI routes data. A remote attacker could use this flaw     to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-2342)

  - A denial of service flaw was found in the Quagga BGP     routing daemon (bgpd). Under certain circumstances, a     remote attacker could send a crafted packet to crash the     bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

  - A denial of service flaw affecting various daemons in     Quagga was found. A remote attacker could use this flaw     to cause the various Quagga daemons, which expose their     telnet interface, to crash. (CVE-2017-5495)

  - A stack-based buffer overflow flaw was found in the way     the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this     flaw to crash the ospfd daemon resulting in denial of     service. (CVE-2013-2236)

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-0794 advisory.

    - Resolves: #1416013 - CVE-2017-5495 quagga: Telnet interface input buffer allocates unbounded amounts of     memory
    - fix for CVE-2013-2236 (#1391918)
    - fix for CVE-2016-1245 (#1391914)
    - fix for CVE-2016-2342 (#1391916)
    - fix for CVE-2016-4049 (#1391919)
    - improve fix for CVE-2011-3325
    - fix CVE-2011-3323
    - fix CVE-2011-3324
    - fix CVE-2011-3325
    - fix CVE-2011-3326
    - fix CVE-2011-3327
    - fix CVE-2012-0255
    - fix CVE-2012-0249 and CVE-2012-0250

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for quagga is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector.

Security Fix(es) :

* A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245)

* A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342)

* A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049)

* A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash.
(CVE-2017-5495)

* A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:0794 advisory.

    The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based     protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is     intended to be used as a Route Server and Route Reflector.

    Security Fix(es):

    * A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement     messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service.
    (CVE-2016-1245)

    * A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled     Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in     denial of service. (CVE-2016-2342)

    * A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances,     a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

    * A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this     flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495)

    * A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in     denial of service. (CVE-2013-2236)

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes     and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2941-1 advisory.

    Kostya Kortchinsky discovered that Quagga incorrectly handled certain route data when configured with BGP     peers enabled for VPNv4. A remote attacker could use this issue to cause Quagga to crash, resulting in a     denial of service, or possibly execute arbitrary code. (CVE-2016-2342)

    It was discovered that Quagga incorrectly handled messages with a large LSA when used in certain     configurations. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of     service. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - Stack-based buffer overflow in the     new_msg_lsa_change_notify function in the OSPFD API     (ospf_api.c) in Quagga before 0.99.22.2, when

    --enable-opaque-lsa and the -a command line option are     used, allows remote attackers to cause a denial of     service (crash) via a large LSA. (CVE-2013-2236)

Multiple vulnerabilities were discovered in Quagga, a BGP/OSPF/RIP routing daemon :

  - CVE-2013-2236     A buffer overflow was found in the OSPF API-server     (exporting the LSDB and allowing announcement of     Opaque-LSAs).

  - CVE-2013-6051     bgpd could be crashed through BGP updates. This only     affects Wheezy/stable.

According to its self-reported version number, the installation of Quagga listening on the remote host is potentially affected by a stack-based buffer overflow that occurs in the OSPF API server ('ospf_api.c') when it receives an LSA larger than 1488 bytes. 

The vulnerability is only present when Quagga is compiled with the '--enable-opaque-lsa' flag and the OSPF API server is running (ospfd is run with the '-a' parameter).  Exploitation of this issue may lead to a denial of service or arbitrary code execution.

Updated quagga packages fix security vulnerability :

Remotely exploitable buffer overflow in ospf_api.c and ospfclient.c when processing LSA messages in quagga before 0.99.22.2 (CVE-2013-2236).

Note: We have worked around this vulnerability by disabling the ospf_api and ospfclient features, which did not provide useful functionality.

The remote host is affected by the vulnerability described in GLSA-201310-08 (Quagga: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Quagga. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause arbitrary code execution or a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This update of quagga fixes two security issues :

  - specially crafted OSPF packets could have caused the     routing table to be erased. (bnc#822572).
    (CVE-2013-0149)

  - local network stack overflow (bnc#828117).
    (CVE-2013-2236)

ID	Name	Product	Family	Severity
199334	RHEL 5 : quagga (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
127329	NewStart CGSL MAIN 4.05 : quagga Multiple Vulnerabilities (NS-SA-2019-0101)	Nessus	NewStart CGSL Local Security Checks	critical
99223	Scientific Linux Security Update : quagga on SL6.x i386/x86_64 (20170321)	Nessus	Scientific Linux Local Security Checks	critical
99073	Oracle Linux 6 : quagga (ELSA-2017-0794)	Nessus	Oracle Linux Local Security Checks	critical
97961	CentOS 6 : quagga (CESA-2017:0794)	Nessus	CentOS Local Security Checks	critical
97885	RHEL 6 : quagga (RHSA-2017:0794)	Nessus	Red Hat Local Security Checks	critical
90188	Ubuntu 14.04 LTS : Quagga vulnerabilities (USN-2941-1)	Nessus	Ubuntu Local Security Checks	high
80753	Oracle Solaris Third-Party Patch Update : quagga (cve_2013_2236_buffer_errors)	Nessus	Solaris Local Security Checks	low
71097	Debian DSA-2803-1 : quagga - several vulnerabilities	Nessus	Debian Local Security Checks	medium
70761	Quagga < 0.99.22.2 OSPF API Buffer Overflow	Nessus	Misc.	low
70521	Mandriva Linux Security Advisory : quagga (MDVSA-2013:254)	Nessus	Mandriva Local Security Checks	low
70381	GLSA-201310-08 : Quagga: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
70020	SuSE 11.2 / 11.3 Security Update : quagga (SAT Patch Numbers 8234 / 8235)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2013-2236

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

high

low

medium

low

low

medium

medium