Vulnerabilities > CVE-2012-1820 - Remote Denial Of Service vulnerability in Quagga bgpd 'bgp_capability_orf()' BGP OPEN Message

047910
CVSS 2.9 - LOW
Attack vector
ADJACENT_NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
quagga
nessus

Summary

The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2012-1259.NASL
    descriptionFrom Red Hat Security Advisory 2012:1259 : Updated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id68618
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68618
    titleOracle Linux 6 : quagga (ELSA-2012-1259)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2012:1259 and 
    # Oracle Linux Security Advisory ELSA-2012-1259 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68618);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/30 10:58:17");
    
      script_cve_id("CVE-2011-3323", "CVE-2011-3324", "CVE-2011-3325", "CVE-2011-3326", "CVE-2011-3327", "CVE-2012-0249", "CVE-2012-0250", "CVE-2012-0255", "CVE-2012-1820");
      script_bugtraq_id(42635, 42642, 46942, 46943, 49784, 52531, 53775);
      script_xref(name:"RHSA", value:"2012:1259");
    
      script_name(english:"Oracle Linux 6 : quagga (ELSA-2012-1259)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2012:1259 :
    
    Updated quagga packages that fix multiple security issues are now
    available for Red Hat Enterprise Linux 6.
    
    The Red Hat Security Response Team has rated this update as having
    moderate security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    Quagga is a TCP/IP based routing software suite. The Quagga bgpd
    daemon implements the BGP (Border Gateway Protocol) routing protocol.
    The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest
    Path First) routing protocol.
    
    A heap-based buffer overflow flaw was found in the way the bgpd daemon
    processed malformed Extended Communities path attributes. An attacker
    could send a specially crafted BGP message, causing bgpd on a target
    system to crash or, possibly, execute arbitrary code with the
    privileges of the user running bgpd. The UPDATE message would have to
    arrive from an explicitly configured BGP peer, but could have
    originated elsewhere in the BGP network. (CVE-2011-3327)
    
    A stack-based buffer overflow flaw was found in the way the ospf6d
    daemon processed malformed Link State Update packets. An OSPF router
    could use this flaw to crash ospf6d on an adjacent router.
    (CVE-2011-3323)
    
    A flaw was found in the way the ospf6d daemon processed malformed link
    state advertisements. An OSPF neighbor could use this flaw to crash
    ospf6d on a target system. (CVE-2011-3324)
    
    A flaw was found in the way the ospfd daemon processed malformed Hello
    packets. An OSPF neighbor could use this flaw to crash ospfd on a
    target system. (CVE-2011-3325)
    
    A flaw was found in the way the ospfd daemon processed malformed link
    state advertisements. An OSPF router in the autonomous system could
    use this flaw to crash ospfd on a target system. (CVE-2011-3326)
    
    An assertion failure was found in the way the ospfd daemon processed
    certain Link State Update packets. An OSPF router could use this flaw
    to cause ospfd on an adjacent router to abort. (CVE-2012-0249)
    
    A buffer overflow flaw was found in the way the ospfd daemon processed
    certain Link State Update packets. An OSPF router could use this flaw
    to crash ospfd on an adjacent router. (CVE-2012-0250)
    
    Two flaws were found in the way the bgpd daemon processed certain BGP
    OPEN messages. A configured BGP peer could cause bgpd on a target
    system to abort via a specially crafted BGP OPEN message.
    (CVE-2012-0255, CVE-2012-1820)
    
    Red Hat would like to thank CERT-FI for reporting CVE-2011-3327,
    CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and
    the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255,
    and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen
    and Jukka Taimisto of the Codenomicon CROSS project as the original
    reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324,
    CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin
    Winter at OpenSourceRouting.org as the original reporter of
    CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as
    the original reporter of CVE-2012-1820.
    
    Users of quagga should upgrade to these updated packages, which
    contain backported patches to correct these issues. After installing
    the updated packages, the bgpd, ospfd, and ospf6d daemons will be
    restarted automatically."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2012-September/003021.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"quagga-0.99.15-7.el6_3.2")) flag++;
    if (rpm_check(release:"EL6", reference:"quagga-contrib-0.99.15-7.el6_3.2")) flag++;
    if (rpm_check(release:"EL6", reference:"quagga-devel-0.99.15-7.el6_3.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga / quagga-contrib / quagga-devel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_QUAGGA-8108.NASL
    descriptionThis update of quagga fixes multiple security flaws that could have caused a Denial of Service via specially crafted packets. (CVE-2012-1820 / CVE-2012-0249 / CVE-2012-0250 / CVE-2012-0255) Additionally, issues with service owned directories in combination with logrotate were fixed.
    last seen2020-06-05
    modified2012-06-07
    plugin id59393
    published2012-06-07
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59393
    titleSuSE 10 Security Update : quagga (ZYPP Patch Number 8108)
  • NASL familyMisc.
    NASL idQUAGGA_0_99_21.NASL
    descriptionAccording to its self-reported version number, the installation of Quagga
    last seen2020-06-01
    modified2020-06-02
    plugin id59792
    published2012-06-29
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59792
    titleQuagga < 0.99.21 BGP Denial of Service Vulnerability
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-9116.NASL
    descriptionUpdate to the 0.99.21 which fixes various issues. In addition, this update fixes following CVE : CVE-2012-1820: quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-06-20
    plugin id59578
    published2012-06-20
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59578
    titleFedora 16 : quagga-0.99.21-2.fc16 (2012-9116)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_QUAGGA_20120821.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF. (CVE-2012-0248) - Buffer overflow in the ospf_ls_upd_list_lsa function in ospf_packet.c in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header. (CVE-2012-0249) - Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field. (CVE-2012-0250) - The BGP implementation in bgpd in Quagga before 0.99.20.1 does not properly use message buffers for OPEN messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed Four-octet AS Number Capability (aka AS4 capability). (CVE-2012-0255) - The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message. (CVE-2012-1820)
    last seen2020-06-01
    modified2020-06-02
    plugin id80752
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80752
    titleOracle Solaris Third-Party Patch Update : quagga (cve_2012_1820_denial_of)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-1259.NASL
    descriptionUpdated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id62070
    published2012-09-13
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62070
    titleRHEL 6 : quagga (RHSA-2012:1259)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-9117.NASL
    descriptionThis update fixes CVE-2012-1820. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-06-20
    plugin id59579
    published2012-06-20
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59579
    titleFedora 15 : quagga-0.99.20.1-2.fc15 (2012-9117)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2012-9103.NASL
    descriptionUpdate to the 0.99.21 which fixes various issues. In addition, this update fixes following CVE : CVE-2012-1820: quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2012-06-20
    plugin id59577
    published2012-06-20
    reporterThis script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59577
    titleFedora 17 : quagga-0.99.21-2.fc17 (2012-9103)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2497.NASL
    descriptionIt was discovered that Quagga, a routing daemon, contains a vulnerability in processing the ORF capability in BGP OPEN messages. A malformed OPEN message from a previously configured BGP peer could cause bgpd to crash, causing a denial of service.
    last seen2020-03-17
    modified2012-06-29
    plugin id59775
    published2012-06-29
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59775
    titleDebian DSA-2497-1 : quagga - denial of service
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2012-90.NASL
    descriptionThe bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.
    last seen2020-06-01
    modified2020-06-02
    plugin id69697
    published2013-09-04
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/69697
    titleAmazon Linux AMI : quagga (ALAS-2012-90)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1605-1.NASL
    descriptionIt was discovered that Quagga incorrectly handled certain malformed messages. A remote attacker could use this flaw to cause Quagga to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id62512
    published2012-10-12
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62512
    titleUbuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : quagga vulnerability (USN-1605-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20120912_QUAGGA_ON_SL6_X.NASL
    descriptionA heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) We would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-03-18
    modified2012-09-14
    plugin id62095
    published2012-09-14
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62095
    titleScientific Linux Security Update : quagga on SL6.x i386/x86_64 (20120912)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2012-1259.NASL
    descriptionUpdated quagga packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Quagga is a TCP/IP based routing software suite. The Quagga bgpd daemon implements the BGP (Border Gateway Protocol) routing protocol. The Quagga ospfd and ospf6d daemons implement the OSPF (Open Shortest Path First) routing protocol. A heap-based buffer overflow flaw was found in the way the bgpd daemon processed malformed Extended Communities path attributes. An attacker could send a specially crafted BGP message, causing bgpd on a target system to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd. The UPDATE message would have to arrive from an explicitly configured BGP peer, but could have originated elsewhere in the BGP network. (CVE-2011-3327) A stack-based buffer overflow flaw was found in the way the ospf6d daemon processed malformed Link State Update packets. An OSPF router could use this flaw to crash ospf6d on an adjacent router. (CVE-2011-3323) A flaw was found in the way the ospf6d daemon processed malformed link state advertisements. An OSPF neighbor could use this flaw to crash ospf6d on a target system. (CVE-2011-3324) A flaw was found in the way the ospfd daemon processed malformed Hello packets. An OSPF neighbor could use this flaw to crash ospfd on a target system. (CVE-2011-3325) A flaw was found in the way the ospfd daemon processed malformed link state advertisements. An OSPF router in the autonomous system could use this flaw to crash ospfd on a target system. (CVE-2011-3326) An assertion failure was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to cause ospfd on an adjacent router to abort. (CVE-2012-0249) A buffer overflow flaw was found in the way the ospfd daemon processed certain Link State Update packets. An OSPF router could use this flaw to crash ospfd on an adjacent router. (CVE-2012-0250) Two flaws were found in the way the bgpd daemon processed certain BGP OPEN messages. A configured BGP peer could cause bgpd on a target system to abort via a specially crafted BGP OPEN message. (CVE-2012-0255, CVE-2012-1820) Red Hat would like to thank CERT-FI for reporting CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326; and the CERT/CC for reporting CVE-2012-0249, CVE-2012-0250, CVE-2012-0255, and CVE-2012-1820. CERT-FI acknowledges Riku Hietamaki, Tuomo Untinen and Jukka Taimisto of the Codenomicon CROSS project as the original reporters of CVE-2011-3327, CVE-2011-3323, CVE-2011-3324, CVE-2011-3325, and CVE-2011-3326. The CERT/CC acknowledges Martin Winter at OpenSourceRouting.org as the original reporter of CVE-2012-0249, CVE-2012-0250, and CVE-2012-0255, and Denis Ovsienko as the original reporter of CVE-2012-1820. Users of quagga should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the bgpd, ospfd, and ospf6d daemons will be restarted automatically.
    last seen2020-06-01
    modified2020-06-02
    plugin id62081
    published2012-09-14
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/62081
    titleCentOS 6 : quagga (CESA-2012:1259)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201310-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201310-08 (Quagga: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Quagga. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause arbitrary code execution or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id70381
    published2013-10-11
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/70381
    titleGLSA-201310-08 : Quagga: Multiple vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2013-122.NASL
    descriptionUpdated quagga package fixes security vulnerability : The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message (CVE-2012-1820).
    last seen2020-06-01
    modified2020-06-02
    plugin id66134
    published2013-04-20
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/66134
    titleMandriva Linux Security Advisory : quagga (MDVSA-2013:122)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_QUAGGA-120430.NASL
    descriptionThis update of quagga fixes multiple security flaws that could have caused a Denial of Service via specially crafted packets. (CVE-2012-1820 / CVE-2012-0249 / CVE-2012-0250 / CVE-2012-0255) Additionally, issues with service owned directories in combination with logrotate were fixed.
    last seen2020-06-05
    modified2013-01-25
    plugin id64222
    published2013-01-25
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64222
    titleSuSE 11.1 Security Update : quagga (SAT Patch Number 6241)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1E14D46FAF1F11E1B24200215AF774F0.NASL
    descriptionCERT reports : If a pre-configured BGP peer sends a specially crafted OPEN message with a malformed ORF capability TLV, Quagga bgpd process will erroneously try to consume extra bytes from the input packet buffer. The process will detect a buffer overrun attempt before it happens and immediately terminate with an error message. All BGP sessions established by the attacked router will be closed and its BGP routing disrupted.
    last seen2020-06-01
    modified2020-06-02
    plugin id59380
    published2012-06-06
    reporterThis script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59380
    titleFreeBSD : quagga -- BGP OPEN denial of service vulnerability (1e14d46f-af1f-11e1-b242-00215af774f0)

Redhat

advisories
bugzilla
id817580
titleCVE-2012-1820 quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV (VU#962587)
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentquagga is earlier than 0:0.99.15-7.el6_3.2
          ovaloval:com.redhat.rhsa:tst:20121259001
        • commentquagga is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100945002
      • AND
        • commentquagga-contrib is earlier than 0:0.99.15-7.el6_3.2
          ovaloval:com.redhat.rhsa:tst:20121259003
        • commentquagga-contrib is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100945006
      • AND
        • commentquagga-devel is earlier than 0:0.99.15-7.el6_3.2
          ovaloval:com.redhat.rhsa:tst:20121259005
        • commentquagga-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100945004
rhsa
idRHSA-2012:1259
released2012-09-12
severityModerate
titleRHSA-2012:1259: quagga security update (Moderate)
rpms
  • quagga-0:0.99.15-7.el6_3.2
  • quagga-contrib-0:0.99.15-7.el6_3.2
  • quagga-debuginfo-0:0.99.15-7.el6_3.2
  • quagga-devel-0:0.99.15-7.el6_3.2