The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - quagga: Buffer Overflow in IPv6 RA handling (CVE-2016-1245)

  - quagga: VPNv4 NLRI parser memcpys to stack on unchecked length (CVE-2016-2342)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in Quagga does not perform size checks when dumping     data, which might allow remote attackers to cause a denial of service (assertion failure and daemon crash)     via a large BGP packet. (CVE-2016-4049)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - quagga: VPNv4 NLRI parser memcpys to stack on unchecked length (CVE-2016-2342)

  - quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to     crash or potentially execute arbitrary code (CVE-2018-5379)

  - quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon performs routes removal     (CVE-2012-5521)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in     the VPNv4 NLRI parser in bgpd in Quagga before     1.0.20160309, when a certain VPNv4 configuration is     used, relies on a Labeled-VPN SAFI routes-data length     field during a data copy, which allows remote attackers     to execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted     packet.(CVE-2016-2342)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in     Quagga does not perform size checks when dumping data,     which might allow remote attackers to cause a denial of     service (assertion failure and daemon crash) via a     large BGP packet.(CVE-2016-4049)

  - Open Shortest Path First (OSPF) protocol     implementations may improperly determine Link State     Advertisement (LSA) recency for LSAs with     MaxSequenceNumber. According to RFC 2328 section 13.1,     for two instances of the same LSA, recency is     determined by first comparing sequence numbers, then     checksums, and finally MaxAge. In a case where the     sequence numbers are the same, the LSA with the larger     checksum is considered more recent, and will not be     flushed from the Link State Database (LSDB). Since the     RFC does not explicitly state that the values of links     carried by a LSA must be the same when prematurely     aging a self-originating LSA with MaxSequenceNumber, it     is possible in vulnerable OSPF implementations for an     attacker to craft a LSA with MaxSequenceNumber and     invalid links that will result in a larger checksum and     thus a 'newer' LSA that will not be flushed from the     LSDB. Propagation of the crafted LSA can result in the     erasure or alteration of the routing tables of routers     within the routing domain, creating a denial of service     condition or the re-routing of traffic on the network.
    CVE-2017-3224 has been reserved for Quagga and     downstream implementations (SUSE, openSUSE, and Red Hat     packages).(CVE-2017-3224)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was discovered that the zebra daemon in Quagga     before 1.0.20161017 suffered from a stack-based buffer     overflow when processing IPv6 Neighbor Discovery     messages. The root cause was relying on BUFSIZ to be     compatible with a message size however, BUFSIZ is     system-dependent.(CVE-2016-1245)

  - Open Shortest Path First (OSPF) protocol     implementations may improperly determine Link State     Advertisement (LSA) recency for LSAs with     MaxSequenceNumber. According to RFC 2328 section 13.1,     for two instances of the same LSA, recency is     determined by first comparing sequence numbers, then     checksums, and finally MaxAge. In a case where the     sequence numbers are the same, the LSA with the larger     checksum is considered more recent, and will not be     flushed from the Link State Database (LSDB). Since the     RFC does not explicitly state that the values of links     carried by a LSA must be the same when prematurely     aging a self-originating LSA with MaxSequenceNumber, it     is possible in vulnerable OSPF implementations for an     attacker to craft a LSA with MaxSequenceNumber and     invalid links that will result in a larger checksum and     thus a 'newer' LSA that will not be flushed from the     LSDB. Propagation of the crafted LSA can result in the     erasure or alteration of the routing tables of routers     within the routing domain, creating a denial of service     condition or the re-routing of traffic on the network.
    CVE-2017-3224 has been reserved for Quagga and     downstream implementations (SUSE, openSUSE, and Red Hat     packages).(CVE-2017-3224)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in     Quagga does not perform size checks when dumping data,     which might allow remote attackers to cause a denial of     service (assertion failure and daemon crash) via a     large BGP packet.(CVE-2016-4049)

  - The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in     the VPNv4 NLRI parser in bgpd in Quagga before     1.0.20160309, when a certain VPNv4 configuration is     used, relies on a Labeled-VPN SAFI routes-data length     field during a data copy, which allows remote attackers     to execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted     packet.(CVE-2016-2342)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can     overrun internal BGP code-to-string conversion tables     used for debug by 1 pointer value, based on     input.(CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has     a bug in its parsing of 'Capabilities' in BGP OPEN     messages, in the bgp_packet.c:bgp_capability_msg_parse     function. The parser can enter an infinite loop on     invalid capabilities if a Multi-Protocol capability     does not have a recognized AFI/SAFI, causing a denial     of service.(CVE-2018-5381)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Open Shortest Path First (OSPF) protocol     implementations may improperly determine Link State     Advertisement (LSA) recency for LSAs with     MaxSequenceNumber. According to RFC 2328 section 13.1,     for two instances of the same LSA, recency is     determined by first comparing sequence numbers, then     checksums, and finally MaxAge. In a case where the     sequence numbers are the same, the LSA with the larger     checksum is considered more recent, and will not be     flushed from the Link State Database (LSDB). Since the     RFC does not explicitly state that the values of links     carried by a LSA must be the same when prematurely     aging a self-originating LSA with MaxSequenceNumber, it     is possible in vulnerable OSPF implementations for an     attacker to craft a LSA with MaxSequenceNumber and     invalid links that will result in a larger checksum and     thus a 'newer' LSA that will not be flushed from the     LSDB. Propagation of the crafted LSA can result in the     erasure or alteration of the routing tables of routers     within the routing domain, creating a denial of service     condition or the re-routing of traffic on the network.
    CVE-2017-3224 has been reserved for Quagga and     downstream implementations (SUSE, openSUSE, and Red Hat     packages).(CVE-2017-3224)

  - The bgp_dump_routes_func function in bgpd/bgp_dump.c in     Quagga does not perform size checks when dumping data,     which might allow remote attackers to cause a denial of     service (assertion failure and daemon crash) via a     large BGP packet.(CVE-2016-4049)

  - The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in     the VPNv4 NLRI parser in bgpd in Quagga before     1.0.20160309, when a certain VPNv4 configuration is     used, relies on a Labeled-VPN SAFI routes-data length     field during a data copy, which allows remote attackers     to execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted     packet.(CVE-2016-2342)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 can     overrun internal BGP code-to-string conversion tables     used for debug by 1 pointer value, based on     input.(CVE-2018-5380)

  - The Quagga BGP daemon (bgpd) prior to version 1.2.3 has     a bug in its parsing of 'Capabilities' in BGP OPEN     messages, in the bgp_packet.c:bgp_capability_msg_parse     function. The parser can enter an infinite loop on     invalid capabilities if a Multi-Protocol capability     does not have a recognized AFI/SAFI, causing a denial     of service.(CVE-2018-5381)

  - It was discovered that the zebra daemon in Quagga     before 1.0.20161017 suffered from a stack-based buffer     overflow when processing IPv6 Neighbor Discovery     messages. The root cause was relying on BUFSIZ to be     compatible with a message size however, BUFSIZ is     system-dependent.(CVE-2016-1245)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 4.05, has quagga packages installed that are affected by multiple vulnerabilities:

  - A denial of service flaw affecting various daemons in     Quagga was found. A remote attacker could use this flaw     to cause the various Quagga daemons, which expose their     telnet interface, to crash. (CVE-2017-5495)

  - A stack-based buffer overflow flaw was found in the way     Quagga handled IPv6 router advertisement messages. A     remote attacker could use this flaw to crash the zebra     daemon resulting in denial of service. (CVE-2016-1245)

  - A denial of service flaw was found in the Quagga BGP     routing daemon (bgpd). Under certain circumstances, a     remote attacker could send a crafted packet to crash the     bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

  - A stack-based buffer overflow flaw was found in the way     the Quagga BGP routing daemon (bgpd) handled Labeled-VPN     SAFI routes data. A remote attacker could use this flaw     to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-2342)

  - A stack-based buffer overflow flaw was found in the way     the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this     flaw to crash the ospfd daemon resulting in denial of     service. (CVE-2013-2236)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - A stack-based buffer overflow flaw was found in the way     Quagga handled IPv6 router advertisement messages. A     remote attacker could use this flaw to crash the zebra     daemon resulting in denial of service. (CVE-2016-1245)

  - A stack-based buffer overflow flaw was found in the way     the Quagga BGP routing daemon (bgpd) handled Labeled-VPN     SAFI routes data. A remote attacker could use this flaw     to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-2342)

  - A denial of service flaw was found in the Quagga BGP     routing daemon (bgpd). Under certain circumstances, a     remote attacker could send a crafted packet to crash the     bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

  - A denial of service flaw affecting various daemons in     Quagga was found. A remote attacker could use this flaw     to cause the various Quagga daemons, which expose their     telnet interface, to crash. (CVE-2017-5495)

  - A stack-based buffer overflow flaw was found in the way     the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this     flaw to crash the ospfd daemon resulting in denial of     service. (CVE-2013-2236)

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2017-0794 advisory.

    - Resolves: #1416013 - CVE-2017-5495 quagga: Telnet interface input buffer allocates unbounded amounts of     memory
    - fix for CVE-2013-2236 (#1391918)
    - fix for CVE-2016-1245 (#1391914)
    - fix for CVE-2016-2342 (#1391916)
    - fix for CVE-2016-4049 (#1391919)
    - improve fix for CVE-2011-3325
    - fix CVE-2011-3323
    - fix CVE-2011-3324
    - fix CVE-2011-3325
    - fix CVE-2011-3326
    - fix CVE-2011-3327
    - fix CVE-2012-0255
    - fix CVE-2012-0249 and CVE-2012-0250

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for quagga is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector.

Security Fix(es) :

* A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245)

* A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342)

* A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049)

* A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash.
(CVE-2017-5495)

* A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:0794 advisory.

    The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based     protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is     intended to be used as a Route Server and Route Reflector.

    Security Fix(es):

    * A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement     messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service.
    (CVE-2016-1245)

    * A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled     Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in     denial of service. (CVE-2016-2342)

    * A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances,     a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service.
    (CVE-2016-4049)

    * A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this     flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495)

    * A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state     advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in     denial of service. (CVE-2013-2236)

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes     and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update addresses multiple security problems and fixes systemd dependencies.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201610-03 (Quagga: Arbitrary code execution)

    A memcpy function in the VPNv4 NLRI parser of bgp_mplsvpn.c does not       properly check the upper-bound length of received Labeled-VPN SAFI routes       data, which may allow for arbitrary code execution on the stack.
  Impact :

    A remote attacker could send a specially crafted packet, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

This update for quagga fixes the following security issue :

  - CVE-2016-2342: Quagga was extended the prefixlen check     to ensure it is within the bound of the NLRI packet data     and the on-stack prefix structure and the maximum size     for the address family (bsc#970952).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Kostya Kortchinsky discovered a stack-based buffer overflow vulnerability in the VPNv4 NLRI parser in bgpd in quagga, a BGP/OSPF/RIP routing daemon. A remote attacker can exploit this flaw to cause a denial of service (daemon crash), or potentially, execution of arbitrary code, if bgpd is configured with BGP peers enabled for VPNv4.

The remote Ubuntu 14.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-2941-1 advisory.

    Kostya Kortchinsky discovered that Quagga incorrectly handled certain route data when configured with BGP     peers enabled for VPNv4. A remote attacker could use this issue to cause Quagga to crash, resulting in a     denial of service, or possibly execute arbitrary code. (CVE-2016-2342)

    It was discovered that Quagga incorrectly handled messages with a large LSA when used in certain     configurations. A remote attacker could use this issue to cause Quagga to crash, resulting in a denial of     service. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for quagga fixes the following security issue :

  - CVE-2016-2342: Quagga was extended the prefixlen check     to ensure it is within the bound of the NLRI packet data     and the on-stack prefix structure and the maximum size     for the address family (bsc#970952).

Donald Sharp reports :

A malicious BGP peer may execute arbitrary code in particularly configured remote bgpd hosts.

ID	Name	Product	Family	Severity
199393	RHEL 7 : quagga (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199334	RHEL 5 : quagga (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
146136	EulerOS 2.0 SP5 : quagga (EulerOS-SA-2021-1227)	Nessus	Huawei Local Security Checks	high
132192	EulerOS 2.0 SP3 : quagga (EulerOS-SA-2019-2657)	Nessus	Huawei Local Security Checks	critical
131900	EulerOS 2.0 SP2 : quagga (EulerOS-SA-2019-2408)	Nessus	Huawei Local Security Checks	critical
127329	NewStart CGSL MAIN 4.05 : quagga Multiple Vulnerabilities (NS-SA-2019-0101)	Nessus	NewStart CGSL Local Security Checks	critical
99223	Scientific Linux Security Update : quagga on SL6.x i386/x86_64 (20170321)	Nessus	Scientific Linux Local Security Checks	critical
99073	Oracle Linux 6 : quagga (ELSA-2017-0794)	Nessus	Oracle Linux Local Security Checks	critical
97961	CentOS 6 : quagga (CESA-2017:0794)	Nessus	CentOS Local Security Checks	critical
97885	RHEL 6 : quagga (RHSA-2017:0794)	Nessus	Red Hat Local Security Checks	critical
95010	Fedora 25 : quagga (2016-8acc6b66f1)	Nessus	Fedora Local Security Checks	critical
94526	Fedora 24 : quagga (2016-cae6456f63)	Nessus	Fedora Local Security Checks	critical
94524	Fedora 23 : quagga (2016-568c7ff4f6)	Nessus	Fedora Local Security Checks	critical
93945	GLSA-201610-03 : Quagga: Arbitrary code execution	Nessus	Gentoo Local Security Checks	high
90348	SUSE SLES11 Security Update : quagga (SUSE-SU-2016:0946-1)	Nessus	SuSE Local Security Checks	high
90347	SUSE SLES12 Security Update : quagga (SUSE-SU-2016:0936-1)	Nessus	SuSE Local Security Checks	high
90207	Debian DSA-3532-1 : quagga - security update	Nessus	Debian Local Security Checks	high
90188	Ubuntu 14.04 LTS : Quagga vulnerabilities (USN-2941-1)	Nessus	Ubuntu Local Security Checks	high
90171	openSUSE Security Update : quagga (openSUSE-2016-396)	Nessus	SuSE Local Security Checks	high
90135	openSUSE Security Update : quagga (openSUSE-2016-383)	Nessus	SuSE Local Security Checks	high
89852	FreeBSD : quagga -- stack based buffer overflow vulnerability (70c44cd0-e717-11e5-85be-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-2342

high

Tenable Plugins

critical

critical

high

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high

high

high

high

high

high

high