Vulnerabilities > CVE-2012-0255 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Quagga

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

The BGP implementation in bgpd in Quagga before 0.99.20.1 does not properly use message buffers for OPEN messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed Four-octet AS Number Capability (aka AS4 capability).

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMisc.
    NASL idQUAGGA_0_99_20_1.NASL
    descriptionAccording to its self-reported version number, the installation of Quagga listening on the remote host is affected by multiple vulnerabilities : - A buffer overflow vulnerability exists in OSPFD can be triggered by a specially crafted Link Status Update message that is smaller than the length specified in its header, leading to denial of service. (CVE-2012-0249) - A buffer overflow vulnerability in exists OSPFD can be triggered by a specially crafted Link Status Update message containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field, leading to denial of service. (CVE-2012-0250) - A denial of service vulnerability exists in BGPD that can be triggered by a specially crafted OPEN message with a malformed four-octet AS Number Capability. (CVE-2012-0250)
    last seen2020-06-01
    modified2020-06-02
    plugin id59791
    published2012-06-29
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59791
    titleQuagga < 0.99.20.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(59791);
      script_version("1.7");
      script_cvs_date("Date: 2018/07/25 18:58:04");
    
      script_cve_id("CVE-2012-0249", "CVE-2012-0250", "CVE-2012-0255");
      script_bugtraq_id(52531);
      script_xref(name:"CERT", value:"551715");
    
      script_name(english:"Quagga < 0.99.20.1 Multiple Vulnerabilities");
      script_summary(english:"Check the version of Quagga");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote service may be affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the installation of
    Quagga listening on the remote host is affected by multiple
    vulnerabilities :
    
      - A buffer overflow vulnerability exists in OSPFD can be
        triggered by a specially crafted Link Status Update
        message that is smaller than the length specified in 
        its header, leading to denial of service.
        (CVE-2012-0249)
    
      - A buffer overflow vulnerability in exists OSPFD can be
        triggered by a specially crafted Link Status Update
        message containing a network-LSA link-state
        advertisement for which the data-structure length is
        smaller than the value in the Length header field,
        leading to denial of service. (CVE-2012-0250)
    
      - A denial of service vulnerability exists in BGPD that 
        can be triggered by a specially crafted OPEN message 
        with a malformed four-octet AS Number Capability.
        (CVE-2012-0250)");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to version 0.99.20.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.quagga.net/show_bug.cgi?id=705");
      script_set_attribute(attribute:"see_also", value:"http://savannah.nongnu.org/forum/forum.php?forum_id=7151");
      script_set_attribute(attribute:"see_also", value:"http://www.quagga.net/download/quagga-0.99.20.1.changelog.txt");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/01/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/29");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:quagga:quagga");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("quagga_zebra_detect.nasl");
      script_require_keys("Quagga/Installed", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    app = "Quagga Zebra";
    kb = "Quagga/";
    
    if (report_paranoia < 2)
      audit(AUDIT_PARANOID);
    
    port = get_kb_item_or_exit(kb + "Installed");
    
    kb += port + "/";
    banner = get_kb_item_or_exit(kb + "Banner");
    ver = get_kb_item_or_exit(kb + "Version");
    
    if (ver !~ "^\d+(\.\d+)*$")
      audit(AUDIT_NONNUMERIC_VER, app, port, ver);
    
    fix = "0.99.20.1";
    if (ver_compare(ver:ver, fix:fix, strict:TRUE) >= 0)
      audit(AUDIT_LISTEN_NOT_VULN, app, port, ver);
    
    report = NULL;
    if (report_verbosity > 0)
    {
      report =
        '\n  Version source    : ' + banner +
        '\n  Installed version : ' + ver +
        '\n  Fixed version     : ' + fix +
        '\n';
    }
    
    security_warning(port:port, extra:report);
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-1259.NASL
    descriptionFrom Red Hat Security Advisory 2012:1259 : Updated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id68618
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68618
    titleOracle Linux 6 : quagga (ELSA-2012-1259)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2012:1259 and 
    # Oracle Linux Security Advisory ELSA-2012-1259 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68618);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/30 10:58:17");
    
      script_cve_id("CVE-2011-3323", "CVE-2011-3324", "CVE-2011-3325", "CVE-2011-3326", "CVE-2011-3327", "CVE-2012-0249", "CVE-2012-0250", "CVE-2012-0255", "CVE-2012-1820");
      script_bugtraq_id(42635, 42642, 46942, 46943, 49784, 52531, 53775);
      script_xref(name:"RHSA", value:"2012:1259");
    
      script_name(english:"Oracle Linux 6 : quagga (ELSA-2012-1259)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2012:1259 :
    
    Updated quagga packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    Quagga is a TCP/IP based routing software suite. The Quagga bgpd
    daemon implements the BGP (Border Gateway Protocol) routing protocol.
    The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest
    Path First) routing protocol.
    
    A heap-based buffer overflow flaw was found in the way the bgpd daemon
    processed malformed Extended Communities path attributes. An attacker
    could send a specially crafted BGP message, causing bgpd on a target
    system to crash or, possibly, execute arbitrary code with the
    privileges of the user running bgpd. The UPDATE message would have to
    arrive from an explicitly configured BGP peer, but could have
    originated elsewhere in the BGP network. (CVE-2011-3327)
    
    A stack-based buffer overflow flaw was found in the way the ospf6d
    daemon processed malformed Link State Update packets. An OSPF router
    could use this flaw to crash ospf6d on an adjacent router.
    (CVE-2011-3323)
    
    A flaw was found in the way the ospf6d daemon processed malformed link
    state advertisements. An OSPF neighbor could use this flaw to crash
    ospf6d on a target system. (CVE-2011-3324)
    
    A flaw was found in the way the ospfd daemon processed malformed Hello
    packets. An OSPF neighbor could use this flaw to crash ospfd on a
    target system. (CVE-2011-3325)
    
    A flaw was found in the way the ospfd daemon processed malformed link
    state advertisements. An OSPF router in the autonomous system could
    use this flaw to crash ospfd on a target system. (CVE-2011-3326)
    
    An assertion failure was found in the way the ospfd daemon processed
    certain Link State Update packets. An OSPF router could use this flaw
    to cause ospfd on an adjacent router to abort. (CVE-2012-0249)
    
    A buffer overflow flaw was found in the way the ospfd daemon processed
    certain Link State Update packets. An OSPF router could use this flaw
    to crash ospfd on an adjacent router. (CVE-2012-0250)
    
    Two flaws were found in the way the bgpd daemon processed certain BGP
    OPEN messages. A configured BGP peer could cause bgpd on a target
    system to abort via a specially crafted BGP OPEN message.
    (CVE-2012-0255, CVE-2012-1820)
    
    Red Hat would like to thank CERT-FI for reporting CVE-2011-3327,
    CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and
    the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255,
    and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen
    and Jukka Taimisto of the Codenomicon CROSS project as the original
    reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324,
    CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin
    Winter at OpenSourceRouting.org as the original reporter of
    CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as
    the original reporter of CVE-2012-1820.
    
    Users of quagga should upgrade to these updated packages, which
    contain backported patches to correct these issues. After installing
    the updated packages, the bgpd, ospfd, and ospf6d daemons will be
    restarted automatically."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2012-September/003021.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"quagga-0.99.15-7.el6_3.2")) flag++;
    if (rpm_check(release:"EL6", reference:"quagga-contrib-0.99.15-7.el6_3.2")) flag++;
    if (rpm_check(release:"EL6", reference:"quagga-devel-0.99.15-7.el6_3.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga / quagga-contrib / quagga-devel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_QUAGGA-8108.NASL
    descriptionThis update of quagga fixes multiple security flaws that could have caused a Denial of Service via specially crafted packets. (CVE-2012-1820 / CVE-2012-0249 / CVE-2012-0250 / CVE-2012-0255) Additionally, issues with service owned directories in combination with logrotate were fixed.
    last seen2020-06-05
    modified2012-06-07
    plugin id59393
    published2012-06-07
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59393
    titleSuSE 10 Security Update : quagga (ZYPP Patch Number 8108)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_QUAGGA_20120821.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF. (CVE-2012-0248) - Buffer overflow in the ospf_ls_upd_list_lsa function in ospf_packet.c in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header. (CVE-2012-0249) - Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. (CVE-2012-0250) - The BGP implementation in bgpd in Quagga before 0.99.20.1 does not properly use message buffers for OPEN messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed Four-octet AS Number Capability (aka AS4 capability). (CVE-2012-0255) - The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message. (CVE-2012-1820)
    last seen2020-06-01
    modified2020-06-02
    plugin id80752
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80752
    titleOracle Solaris Third-Party Patch Update : quagga (cve_2012_1820_denial_of)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-1259.NASL
    descriptionUpdated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id62070
    published2012-09-13
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62070
    titleRHEL 6 : quagga (RHSA-2012:1259)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-5411.NASL
    descriptionfixes CVEs, updates to latest upstream quagga-0.99.20.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-04-23
    plugin id58819
    published2012-04-23
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58819
    titleFedora 16 : quagga-0.99.20.1-1.fc16 (2012-5411)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-5352.NASL
    descriptionfixes CVEs, updates to latest upstream quagga-0.99.20.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-04-20
    plugin id58805
    published2012-04-20
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58805
    titleFedora 17 : quagga-0.99.20.1-1.fc17 (2012-5352)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1441-1.NASL
    descriptionIt was discovered that Quagga incorrectly handled Link State Update messages with invalid lengths. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2012-0249, CVE-2012-0250) It was discovered that Quagga incorrectly handled messages with a malformed Four-octet AS Number Capability. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. (CVE-2012-0255). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id59107
    published2012-05-16
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59107
    titleUbuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : quagga vulnerabilities (USN-1441-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20120912_QUAGGA_ON_SL6_X.NASL
    descriptionA heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) We would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-03-18
    modified2012-09-14
    plugin id62095
    published2012-09-14
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62095
    titleScientific Linux Security Update : quagga on SL6.x i386/x86_64 (20120912)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2012-1259.NASL
    descriptionUpdated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id62081
    published2012-09-14
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62081
    titleCentOS 6 : quagga (CESA-2012:1259)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201310-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201310-08 (Quagga: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause arbitrary code execution or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id70381
    published2013-10-11
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70381
    titleGLSA-201310-08 : Quagga: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2459.NASL
    descriptionSeveral vulnerabilities have been discovered in Quagga, a routing daemon. - CVE-2012-0249 A buffer overflow in the ospf_ls_upd_list_lsa function in the OSPFv2 implementation allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header. - CVE-2012-0250 A buffer overflow in the OSPFv2 implementation allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. - CVE-2012-0255 The BGP implementation does not properly use message buffers for OPEN messages, which allows remote attackers impersonating a configured BGP peer to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed AS4 capability. This security update upgrades the quagga package to the most recent upstream release. This release includes other corrections, such as hardening against unknown BGP path attributes.
    last seen2020-03-17
    modified2012-04-27
    plugin id58883
    published2012-04-27
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58883
    titleDebian DSA-2459-2 : quagga - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-5436.NASL
    descriptionfixes CVEs, updates to latest upstream quagga-0.99.20.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-04-23
    plugin id58822
    published2012-04-23
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58822
    titleFedora 15 : quagga-0.99.20.1-1.fc15 (2012-5436)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_QUAGGA-120430.NASL
    descriptionThis update of quagga fixes multiple security flaws that could have caused a Denial of Service via specially crafted packets. (CVE-2012-1820 / CVE-2012-0249 / CVE-2012-0250 / CVE-2012-0255) Additionally, issues with service owned directories in combination with logrotate were fixed.
    last seen2020-06-05
    modified2013-01-25
    plugin id64222
    published2013-01-25
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64222
    titleSuSE 11.1 Security Update : quagga (SAT Patch Number 6241)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_42A2C82A75B911E189B4001EC9578670.NASL
    descriptionCERT reports : The ospfd implementation of OSPF in Quagga allows a remote attacker (on a local network segment with OSPF enabled) to cause a denial of service (daemon aborts due to an assert) with a malformed OSPF LS-Update message. The ospfd implementation of OSPF in Quagga allows a remote attacker (on a local network segment with OSPF enabled) to cause a denial of service (daemon crash) with a malformed OSPF Network- LSA message. The bgpd implementation of BGP in Quagga allows remote attackers to cause a denial of service (daemon aborts due to an assert) via BGP Open message with an invalid AS4 capability.
    last seen2020-06-01
    modified2020-06-02
    plugin id58471
    published2012-03-26
    reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58471
    titleFreeBSD : quagga -- multiple vulnerabilities (42a2c82a-75b9-11e1-89b4-001ec9578670)

Redhat

advisories
rhsa
idRHSA-2012:1259
rpms
  • quagga-0:0.99.15-7.el6_3.2
  • quagga-contrib-0:0.99.15-7.el6_3.2
  • quagga-debuginfo-0:0.99.15-7.el6_3.2
  • quagga-devel-0:0.99.15-7.el6_3.2