Amazon Linux AMI : quagga (ALAS-2018-957)

critical Nessus Plugin ID 106934

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

Infinite loop issue triggered by invalid OPEN message allows denial-of-service

An infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted.(CVE-2018-5381)

Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code

A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.(CVE-2018-5379)

bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash

A vulnerability was found in Quagga, in the log formatting code.
Specially crafted messages sent by BGP peers could cause Quagga to read one element past the end of certain static arrays, causing arbitrary binary data to appear in the logs or potentially, a crash.(CVE-2018-5380)

Solution

Run 'yum update quagga' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2018-957.html

Plugin Details

Severity: Critical

ID: 106934

File Name: ala_ALAS-2018-957.nasl

Version: 3.7

Type: local

Agent: unix

Published: 2/22/2018

Updated: 12/6/2022

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:quagga, p-cpe:/a:amazon:linux:quagga-contrib, p-cpe:/a:amazon:linux:quagga-debuginfo, p-cpe:/a:amazon:linux:quagga-devel, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2/20/2018

Vulnerability Publication Date: 2/19/2018

Reference Information

CVE: CVE-2018-5379, CVE-2018-5380, CVE-2018-5381

ALAS: 2018-957