Vulnerabilities > CVE-2017-5495 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Quagga

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
quagga
CWE-119
nessus

Summary

All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this vulnerability, prior to authentication. Most distributions restrict the Quagga telnet interface to local access only by default. The Quagga telnet interface 'vty' input buffer grows automatically, without bound, so long as a newline is not entered. This allows an attacker to cause the Quagga daemon to allocate unbounded memory by sending very long strings without a newline. Eventually the daemon is terminated by the system, or the system itself runs out of memory. This is fixed in Quagga 1.1.1 and Free Range Routing (FRR) Protocol Suite 2017-01-10.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-BA9C6A3634.NASL
    descriptionFix for CVE-2017-5495 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-02-28
    plugin id97429
    published2017-02-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97429
    titleFedora 24 : quagga (2017-ba9c6a3634)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-ba9c6a3634.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97429);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-5495");
      script_xref(name:"FEDORA", value:"2017-ba9c6a3634");
    
      script_name(english:"Fedora 24 : quagga (2017-ba9c6a3634)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fix for CVE-2017-5495
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ba9c6a3634"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:quagga");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC24", reference:"quagga-0.99.24.1-5.fc24")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1065.NASL
    descriptionAccording to the versions of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.(CVE-2018-5379) - All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet
    last seen2020-05-06
    modified2018-03-20
    plugin id108469
    published2018-03-20
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108469
    titleEulerOS 2.0 SP2 : quagga (EulerOS-SA-2018-1065)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108469);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-5495",
        "CVE-2018-5379"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : quagga (EulerOS-SA-2018-1065)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the quagga package installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - A double-free vulnerability was found in Quagga. A BGP
        peer could send a specially crafted UPDATE message
        which would cause allocated blocks of memory to be
        free()d more than once, potentially leading to a crash
        or other issues.(CVE-2018-5379)
    
      - All versions of Quagga, 0.93 through 1.1.0, are
        vulnerable to an unbounded memory allocation in the
        telnet 'vty' CLI, leading to a Denial-of-Service of
        Quagga daemons, or even the entire host. When Quagga
        daemons are configured with their telnet CLI enabled,
        anyone who can connect to the TCP ports can trigger
        this vulnerability, prior to authentication. Most
        distributions restrict the Quagga telnet interface to
        local access only by default. The Quagga telnet
        interface 'vty' input buffer grows automatically,
        without bound, so long as a newline is not entered.
        This allows an attacker to cause the Quagga daemon to
        allocate unbounded memory by sending very long strings
        without a newline. Eventually the daemon is terminated
        by the system, or the system itself runs out of
        memory.(CVE-2017-5495)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1065
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?272ffeba");
      script_set_attribute(attribute:"solution", value:
    "Update the affected quagga packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/03/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:quagga");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["quagga-0.99.22.4-5.h2"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-547.NASL
    descriptionThis update for quagga fixes the following issues : This security issue was fixed : - CVE-2017-5495: Quagga was vulnerable to an unbounded memory allocation in the telnet
    last seen2020-06-05
    modified2017-05-09
    plugin id100035
    published2017-05-09
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100035
    titleopenSUSE Security Update : quagga (openSUSE-2017-547)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-547.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100035);
      script_version("3.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-5495");
    
      script_name(english:"openSUSE Security Update : quagga (openSUSE-2017-547)");
      script_summary(english:"Check for the openSUSE-2017-547 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for quagga fixes the following issues :
    
    This security issue was fixed :
    
      - CVE-2017-5495: Quagga was vulnerable to an unbounded
        memory allocation in the telnet 'vty' CLI, leading to a
        Denial-of-Service of Quagga daemons, or even the entire
        host. When Quagga daemons are configured with their
        telnet CLI enabled, anyone who can connect to the TCP
        ports can trigger this vulnerability, prior to
        authentication (bsc#1021669).
    
    These non-security issues were fixed :
    
      - Disabled passwords in default zebra.conf config file,
        causing to disable vty telnet interface by default. The
        vty interface is available via 'vtysh' utility using pam
        authentication to permit management access for root
        without password (boo#1021669).
    
      - Changed owner of /etc/quagga to quagga:quagga to permit
        to manage quagga via vty interface.
    
      - Added quagga.log and create and su statemets to
        logrotate config, changed default zebra log file name
        from quagga.log to zebra.log."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021669"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", reference:"quagga-0.99.24.1-17.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"quagga-debuginfo-0.99.24.1-17.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"quagga-debugsource-0.99.24.1-17.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"quagga-devel-0.99.24.1-17.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga / quagga-debuginfo / quagga-debugsource / quagga-devel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0455-1.NASL
    descriptionThis update for quagga fixes the following security issues : - The Quagga BGP daemon contained a bug in the AS_PATH size calculation that could have been exploited to facilitate a remote denial-of-service attack via specially crafted BGP UPDATE messages. [CVE-2017-16227, bsc#1065641] - The Quagga BGP daemon did not check whether data sent to peers via NOTIFY had an invalid attribute length. It was possible to exploit this issue and cause the bgpd process to leak sensitive information over the network to a configured peer. [CVE-2018-5378, bsc#1079798] - The Quagga BGP daemon used to double-free memory when processing certain forms of UPDATE messages. This issue could be exploited by sending an optional/transitive UPDATE attribute that all conforming eBGP speakers should pass along. Consequently, a single UPDATE message could have affected many bgpd processes across a wide area of a network. Through this vulnerability, attackers could potentially have taken over control of affected bgpd processes remotely. [CVE-2018-5379, bsc#1079799] - It was possible to overrun internal BGP code-to-string conversion tables in the Quagga BGP daemon. Configured peers could have exploited this issue and cause bgpd to emit debug and warning messages into the logs that would contained arbitrary bytes. [CVE-2018-5380, bsc#1079800] - The Quagga BGP daemon could have entered an infinite loop if sent an invalid OPEN message by a configured peer. If this issue was exploited, then bgpd would cease to respond to any other events. BGP sessions would have been dropped and not be reestablished. The CLI interface would have been unresponsive. The bgpd daemon would have stayed in this state until restarted. [CVE-2018-5381, bsc#1079801] - The Quagga daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id106866
    published2018-02-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106866
    titleSUSE SLES12 Security Update : quagga (SUSE-SU-2018:0455-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:0455-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106866);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/10 13:51:46");
    
      script_cve_id("CVE-2017-16227", "CVE-2017-5495", "CVE-2018-5378", "CVE-2018-5379", "CVE-2018-5380", "CVE-2018-5381");
    
      script_name(english:"SUSE SLES12 Security Update : quagga (SUSE-SU-2018:0455-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for quagga fixes the following security issues :
    
      - The Quagga BGP daemon contained a bug in the AS_PATH
        size calculation that could have been exploited to
        facilitate a remote denial-of-service attack via
        specially crafted BGP UPDATE messages. [CVE-2017-16227,
        bsc#1065641]
    
      - The Quagga BGP daemon did not check whether data sent to
        peers via NOTIFY had an invalid attribute length. It was
        possible to exploit this issue and cause the bgpd
        process to leak sensitive information over the network
        to a configured peer. [CVE-2018-5378, bsc#1079798]
    
      - The Quagga BGP daemon used to double-free memory when
        processing certain forms of UPDATE messages. This issue
        could be exploited by sending an optional/transitive
        UPDATE attribute that all conforming eBGP speakers
        should pass along. Consequently, a single UPDATE message
        could have affected many bgpd processes across a wide
        area of a network. Through this vulnerability, attackers
        could potentially have taken over control of affected
        bgpd processes remotely. [CVE-2018-5379, bsc#1079799]
    
      - It was possible to overrun internal BGP code-to-string
        conversion tables in the Quagga BGP daemon. Configured
        peers could have exploited this issue and cause bgpd to
        emit debug and warning messages into the logs that would
        contained arbitrary bytes. [CVE-2018-5380, bsc#1079800]
    
      - The Quagga BGP daemon could have entered an infinite
        loop if sent an invalid OPEN message by a configured
        peer. If this issue was exploited, then bgpd would cease
        to respond to any other events. BGP sessions would have
        been dropped and not be reestablished. The CLI interface
        would have been unresponsive. The bgpd daemon would have
        stayed in this state until restarted. [CVE-2018-5381,
        bsc#1079801]
    
      - The Quagga daemon's telnet 'vty' CLI contains an
        unbounded memory allocation bug that could be exploited
        for a denial-of-service attack on the daemon. This issue
        has been fixed. [CVE-2017-5495, bsc#1021669]
    
      - The telnet 'vty' CLI of the Quagga daemon is no longer
        enabled by default, because the passwords in the default
        'zebra.conf' config file are now disabled. The vty
        interface is available via 'vtysh' utility using pam
        authentication to permit management access for root
        without password. [bsc#1021669]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1021669"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1065641"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079798"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079799"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079800"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1079801"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-16227/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5495/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5378/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5379/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5380/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-5381/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20180455-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ad61f40b"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 6:zypper in -t patch
    SUSE-OpenStack-Cloud-6-2018-315=1
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2018-315=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2018-315=1
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2018-315=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:quagga-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:quagga-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0|1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0/1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"quagga-0.99.22.1-16.4.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"quagga-debuginfo-0.99.22.1-16.4.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"quagga-debugsource-0.99.22.1-16.4.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"quagga-0.99.22.1-16.4.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"quagga-debuginfo-0.99.22.1-16.4.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"quagga-debugsource-0.99.22.1-16.4.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0794.NASL
    descriptionAn update for quagga is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector. Security Fix(es) : * A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245) * A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342) * A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049) * A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495) * A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id97961
    published2017-03-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97961
    titleCentOS 6 : quagga (CESA-2017:0794)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:0794 and 
    # CentOS Errata and Security Advisory 2017:0794 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97961);
      script_version("3.6");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2013-2236", "CVE-2016-1245", "CVE-2016-2342", "CVE-2016-4049", "CVE-2017-5495");
      script_xref(name:"RHSA", value:"2017:0794");
    
      script_name(english:"CentOS 6 : quagga (CESA-2017:0794)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for quagga is now available for Red Hat Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The quagga packages contain Quagga, the free network-routing software
    suite that manages TCP/IP based protocols. Quagga supports the BGP4,
    BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is
    intended to be used as a Route Server and Route Reflector.
    
    Security Fix(es) :
    
    * A stack-based buffer overflow flaw was found in the way Quagga
    handled IPv6 router advertisement messages. A remote attacker could
    use this flaw to crash the zebra daemon resulting in denial of
    service. (CVE-2016-1245)
    
    * A stack-based buffer overflow flaw was found in the way the Quagga
    BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A
    remote attacker could use this flaw to crash the bgpd daemon resulting
    in denial of service. (CVE-2016-2342)
    
    * A denial of service flaw was found in the Quagga BGP routing daemon
    (bgpd). Under certain circumstances, a remote attacker could send a
    crafted packet to crash the bgpd daemon resulting in denial of
    service. (CVE-2016-4049)
    
    * A denial of service flaw affecting various daemons in Quagga was
    found. A remote attacker could use this flaw to cause the various
    Quagga daemons, which expose their telnet interface, to crash.
    (CVE-2017-5495)
    
    * A stack-based buffer overflow flaw was found in the way the Quagga
    OSPFD daemon handled LSA (link-state advertisement) packets. A remote
    attacker could use this flaw to crash the ospfd daemon resulting in
    denial of service. (CVE-2013-2236)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9
    Technical Notes linked from the References section."
      );
      # https://lists.centos.org/pipermail/centos-cr-announce/2017-March/003917.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?06a1a5d3"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5495");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:quagga-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-6", reference:"quagga-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"quagga-contrib-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"quagga-devel-0.99.15-14.el6")) flag++;
    
    
    if (flag)
    {
      cr_plugin_caveat = '\n' +
        'NOTE: The security advisory associated with this vulnerability has a\n' +
        'fixed package version that may only be available in the continuous\n' +
        'release (CR) repository for CentOS, until it is present in the next\n' +
        'point release of CentOS.\n\n' +
    
        'If an equal or higher package level does not exist in the baseline\n' +
        'repository for your major version of CentOS, then updates from the CR\n' +
        'repository will need to be applied in order to address the\n' +
        'vulnerability.\n';
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get() + cr_plugin_caveat
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga / quagga-contrib / quagga-devel");
    }
    
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0101_QUAGGA.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has quagga packages installed that are affected by multiple vulnerabilities: - A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495) - A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245) - A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049) - A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342) - A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127329
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127329
    titleNewStart CGSL MAIN 4.05 : quagga Multiple Vulnerabilities (NS-SA-2019-0101)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from ZTE advisory NS-SA-2019-0101. The text
    # itself is copyright (C) ZTE, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127329);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/17 14:31:04");
    
      script_cve_id(
        "CVE-2013-2236",
        "CVE-2016-1245",
        "CVE-2016-2342",
        "CVE-2016-4049",
        "CVE-2017-5495"
      );
    
      script_name(english:"NewStart CGSL MAIN 4.05 : quagga Multiple Vulnerabilities (NS-SA-2019-0101)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote machine is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote NewStart CGSL host, running version MAIN 4.05, has quagga packages installed that are affected by multiple
    vulnerabilities:
    
      - A denial of service flaw affecting various daemons in
        Quagga was found. A remote attacker could use this flaw
        to cause the various Quagga daemons, which expose their
        telnet interface, to crash. (CVE-2017-5495)
    
      - A stack-based buffer overflow flaw was found in the way
        Quagga handled IPv6 router advertisement messages. A
        remote attacker could use this flaw to crash the zebra
        daemon resulting in denial of service. (CVE-2016-1245)
    
      - A denial of service flaw was found in the Quagga BGP
        routing daemon (bgpd). Under certain circumstances, a
        remote attacker could send a crafted packet to crash the
        bgpd daemon resulting in denial of service.
        (CVE-2016-4049)
    
      - A stack-based buffer overflow flaw was found in the way
        the Quagga BGP routing daemon (bgpd) handled Labeled-VPN
        SAFI routes data. A remote attacker could use this flaw
        to crash the bgpd daemon resulting in denial of service.
        (CVE-2016-2342)
    
      - A stack-based buffer overflow flaw was found in the way
        the Quagga OSPFD daemon handled LSA (link-state
        advertisement) packets. A remote attacker could use this
        flaw to crash the ospfd daemon resulting in denial of
        service. (CVE-2013-2236)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0101");
      script_set_attribute(attribute:"solution", value:
    "Upgrade the vulnerable CGSL quagga packages. Note that updated packages may not be available yet. Please contact ZTE for
    more information.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2342");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"NewStart CGSL Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/ZTE-CGSL/release");
    if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
    
    if (release !~ "CGSL MAIN 4.05")
      audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');
    
    if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
    
    flag = 0;
    
    pkgs = {
      "CGSL MAIN 4.05": [
        "quagga-0.99.15-14.el6"
      ]
    };
    pkg_list = pkgs[release];
    
    foreach (pkg in pkg_list)
      if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1058.NASL
    descriptionAccording to the version of the quagga package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash.(CVE-2017-5495) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-05-01
    plugin id99903
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99903
    titleEulerOS 2.0 SP1 : quagga (EulerOS-SA-2017-1058)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99903);
      script_version("1.11");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2017-5495"
      );
    
      script_name(english:"EulerOS 2.0 SP1 : quagga (EulerOS-SA-2017-1058)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "According to the version of the quagga package installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerability :
    
      - A denial of service flaw affecting various daemons in
        Quagga was found. A remote attacker could use this flaw
        to cause the various Quagga daemons, which expose their
        telnet interface, to crash.(CVE-2017-5495)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1058
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0bbc56a5");
      script_set_attribute(attribute:"solution", value:
    "Update the affected quagga package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:quagga");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["quagga-0.99.22.4-4.h1"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170321_QUAGGA_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245) - A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342) - A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049) - A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495) - A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236)
    last seen2020-03-18
    modified2017-04-06
    plugin id99223
    published2017-04-06
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99223
    titleScientific Linux Security Update : quagga on SL6.x i386/x86_64 (20170321)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99223);
      script_version("3.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");
    
      script_cve_id("CVE-2013-2236", "CVE-2016-1245", "CVE-2016-2342", "CVE-2016-4049", "CVE-2017-5495");
    
      script_name(english:"Scientific Linux Security Update : quagga on SL6.x i386/x86_64 (20170321)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - A stack-based buffer overflow flaw was found in the way
        Quagga handled IPv6 router advertisement messages. A
        remote attacker could use this flaw to crash the zebra
        daemon resulting in denial of service. (CVE-2016-1245)
    
      - A stack-based buffer overflow flaw was found in the way
        the Quagga BGP routing daemon (bgpd) handled Labeled-VPN
        SAFI routes data. A remote attacker could use this flaw
        to crash the bgpd daemon resulting in denial of service.
        (CVE-2016-2342)
    
      - A denial of service flaw was found in the Quagga BGP
        routing daemon (bgpd). Under certain circumstances, a
        remote attacker could send a crafted packet to crash the
        bgpd daemon resulting in denial of service.
        (CVE-2016-4049)
    
      - A denial of service flaw affecting various daemons in
        Quagga was found. A remote attacker could use this flaw
        to cause the various Quagga daemons, which expose their
        telnet interface, to crash. (CVE-2017-5495)
    
      - A stack-based buffer overflow flaw was found in the way
        the Quagga OSPFD daemon handled LSA (link-state
        advertisement) packets. A remote attacker could use this
        flaw to crash the ospfd daemon resulting in denial of
        service. (CVE-2013-2236)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1704&L=scientific-linux-errata&F=&S=&P=2144
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?bde33ae9"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:quagga-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:quagga-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL6", reference:"quagga-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"quagga-contrib-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"quagga-debuginfo-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"SL6", reference:"quagga-devel-0.99.15-14.el6")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga / quagga-contrib / quagga-debuginfo / quagga-devel");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-551.NASL
    descriptionThis update for quagga to version 1.1.1 fixes the following issues : This security issue was fixed : - CVE-2017-5495: Quagga was vulnerable to an unbounded memory allocation in the telnet
    last seen2020-06-05
    modified2017-05-09
    plugin id100037
    published2017-05-09
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/100037
    titleopenSUSE Security Update : quagga (openSUSE-2017-551)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-551.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100037);
      script_version("3.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-5495");
    
      script_name(english:"openSUSE Security Update : quagga (openSUSE-2017-551)");
      script_summary(english:"Check for the openSUSE-2017-551 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for quagga to version 1.1.1 fixes the following issues :
    
    This security issue was fixed :
    
      - CVE-2017-5495: Quagga was vulnerable to an unbounded
        memory allocation in the telnet 'vty' CLI, leading to a
        Denial-of-Service of Quagga daemons, or even the entire
        host. When Quagga daemons are configured with their
        telnet CLI enabled, anyone who can connect to the TCP
        ports can trigger this vulnerability, prior to
        authentication (bsc#1021669).
    
    These non-security issues were fixed :
    
      - Disabled passwords in default zebra.conf config file,
        causing to disable vty telnet interface by default. The
        vty interface is available via 'vtysh' utility using pam
        authentication to permit management access for root
        without password (boo#1021669).
    
      - Changed owner of /etc/quagga to quagga:quagga to permit
        to manage quagga via vty interface.
    
      - Added quagga.log and create and su statemets to
        logrotate config, changed default zebra log file name
        from quagga.log to zebra.log.
    
      - Added libfpm_pb0 and libquagga_pb0 shared library
        sub-packages, adjusted libzebra0 sub-package name to
        libzebra1.
    
      - Do not enable zebra's tcp interface (port 2600) to use
        default unix socket for communication between the
        daemons 
    
    A digest of the other changes by the version upgrade :
    
      - isisd: Fix size of malloc
    
      - isisd: check for the existance of the correct list
    
      - ospf6d: fix off-by-one on display of spf reasons
    
      - ospf6d: don't access nexthops out of bounds
    
      - bgpd: fix off-by-one in attribute flags handling
    
      - bgpd: Fix buffer overflow error in bgp_dump_routes_func
    
    Please
    http://mirror.easyname.at/nongnu/quagga/quagga-1.1.1.changelog.txt and
    the changelog for a complete list of changes."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://mirror.easyname.at/nongnu/quagga/quagga-1.1.1.changelog.txt"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021669"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfpm_pb0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libfpm_pb0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libospf0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libospf0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libospfapiclient0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libospfapiclient0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libquagga_pb0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libquagga_pb0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libzebra1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libzebra1-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"libfpm_pb0-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libfpm_pb0-debuginfo-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libospf0-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libospf0-debuginfo-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libospfapiclient0-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libospfapiclient0-debuginfo-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libquagga_pb0-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libquagga_pb0-debuginfo-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libzebra1-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"libzebra1-debuginfo-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"quagga-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"quagga-debuginfo-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"quagga-debugsource-1.1.1-16.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"quagga-devel-1.1.1-16.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libfpm_pb0 / libfpm_pb0-debuginfo / libospf0 / libospf0-debuginfo / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0794.NASL
    descriptionFrom Red Hat Security Advisory 2017:0794 : An update for quagga is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector. Security Fix(es) : * A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245) * A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342) * A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049) * A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495) * A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id99073
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99073
    titleOracle Linux 6 : quagga (ELSA-2017-0794)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2017:0794 and 
    # Oracle Linux Security Advisory ELSA-2017-0794 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99073);
      script_version("3.3");
      script_cvs_date("Date: 2019/09/27 13:00:37");
    
      script_cve_id("CVE-2013-2236", "CVE-2016-1245", "CVE-2016-2342", "CVE-2016-4049", "CVE-2017-5495");
      script_xref(name:"RHSA", value:"2017:0794");
    
      script_name(english:"Oracle Linux 6 : quagga (ELSA-2017-0794)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2017:0794 :
    
    An update for quagga is now available for Red Hat Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The quagga packages contain Quagga, the free network-routing software
    suite that manages TCP/IP based protocols. Quagga supports the BGP4,
    BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is
    intended to be used as a Route Server and Route Reflector.
    
    Security Fix(es) :
    
    * A stack-based buffer overflow flaw was found in the way Quagga
    handled IPv6 router advertisement messages. A remote attacker could
    use this flaw to crash the zebra daemon resulting in denial of
    service. (CVE-2016-1245)
    
    * A stack-based buffer overflow flaw was found in the way the Quagga
    BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A
    remote attacker could use this flaw to crash the bgpd daemon resulting
    in denial of service. (CVE-2016-2342)
    
    * A denial of service flaw was found in the Quagga BGP routing daemon
    (bgpd). Under certain circumstances, a remote attacker could send a
    crafted packet to crash the bgpd daemon resulting in denial of
    service. (CVE-2016-4049)
    
    * A denial of service flaw affecting various daemons in Quagga was
    found. A remote attacker could use this flaw to cause the various
    Quagga daemons, which expose their telnet interface, to crash.
    (CVE-2017-5495)
    
    * A stack-based buffer overflow flaw was found in the way the Quagga
    OSPFD daemon handled LSA (link-state advertisement) packets. A remote
    attacker could use this flaw to crash the ospfd daemon resulting in
    denial of service. (CVE-2013-2236)
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9
    Technical Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2017-March/006802.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected quagga packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga-contrib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:quagga-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/10/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/30");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL6", reference:"quagga-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"quagga-contrib-0.99.15-14.el6")) flag++;
    if (rpm_check(release:"EL6", reference:"quagga-devel-0.99.15-14.el6")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "quagga / quagga-contrib / quagga-devel");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B89A945E9D.NASL
    descriptionFix for CVE-2017-5495 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-02-15
    plugin id97176
    published2017-02-15
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97176
    titleFedora 25 : quagga (2017-b89a945e9d)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0457-1.NASL
    descriptionThis update for quagga fixes the following issues : - The Quagga BGP daemon contained a bug in the AS_PATH size calculation that could have been exploited to facilitate a remote denial-of-service attack via specially crafted BGP UPDATE messages. [CVE-2017-16227, bsc#1065641] - The Quagga BGP daemon did not check whether data sent to peers via NOTIFY had an invalid attribute length. It was possible to exploit this issue and cause the bgpd process to leak sensitive information over the network to a configured peer. [CVE-2018-5378, bsc#1079798] - The Quagga BGP daemon used to double-free memory when processing certain forms of UPDATE messages. This issue could be exploited by sending an optional/transitive UPDATE attribute that all conforming eBGP speakers should pass along. Consequently, a single UPDATE message could have affected many bgpd processes across a wide area of a network. Through this vulnerability, attackers could potentially have taken over control of affected bgpd processes remotely. [CVE-2018-5379, bsc#1079799] - It was possible to overrun internal BGP code-to-string conversion tables in the Quagga BGP daemon. Configured peers could have exploited this issue and cause bgpd to emit debug and warning messages into the logs that would contained arbitrary bytes. [CVE-2018-5380, bsc#1079800] - The Quagga BGP daemon could have entered an infinite loop if sent an invalid OPEN message by a configured peer. If this issue was exploited, then bgpd would cease to respond to any other events. BGP sessions would have been dropped and not be reestablished. The CLI interface would have been unresponsive. The bgpd daemon would have stayed in this state until restarted. [CVE-2018-5381, bsc#1079801] - The Quagga daemon
    last seen2020-06-01
    modified2020-06-02
    plugin id106868
    published2018-02-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106868
    titleSUSE SLES11 Security Update : quagga (SUSE-SU-2018:0457-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0794.NASL
    descriptionAn update for quagga is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The quagga packages contain Quagga, the free network-routing software suite that manages TCP/IP based protocols. Quagga supports the BGP4, BGP4+, OSPFv2, OSPFv3, RIPv1, RIPv2, and RIPng protocols, and is intended to be used as a Route Server and Route Reflector. Security Fix(es) : * A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service. (CVE-2016-1245) * A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service. (CVE-2016-2342) * A denial of service flaw was found in the Quagga BGP routing daemon (bgpd). Under certain circumstances, a remote attacker could send a crafted packet to crash the bgpd daemon resulting in denial of service. (CVE-2016-4049) * A denial of service flaw affecting various daemons in Quagga was found. A remote attacker could use this flaw to cause the various Quagga daemons, which expose their telnet interface, to crash. (CVE-2017-5495) * A stack-based buffer overflow flaw was found in the way the Quagga OSPFD daemon handled LSA (link-state advertisement) packets. A remote attacker could use this flaw to crash the ospfd daemon resulting in denial of service. (CVE-2013-2236) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id97885
    published2017-03-22
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97885
    titleRHEL 6 : quagga (RHSA-2017:0794)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2294-1.NASL
    descriptionThis update provides Quagga 1.1.1, which brings several fixes and enhancements. Security issues fixed : - CVE-2017-5495: Telnet
    last seen2020-06-01
    modified2020-06-02
    plugin id102841
    published2017-08-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102841
    titleSUSE SLES12 Security Update : quagga (SUSE-SU-2017:2294-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3471-1.NASL
    descriptionAndreas Jaggi discovered that Quagga incorrectly handled certain BGP UPDATE messages. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service. (CVE-2017-16227) Quentin Young discovered that Quagga incorrectly handled memory in the telnet vty CLI. An attacker able to connect to the telnet interface could possibly use this issue to cause Quagga to consume memory, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-5495). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104323
    published2017-11-01
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104323
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : quagga vulnerabilities (USN-3471-1)

Redhat

advisories
bugzilla
id1416013
titleCVE-2017-5495 quagga: Telnet interface input buffer allocates unbounded amounts of memory
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentquagga-contrib is earlier than 0:0.99.15-14.el6
          ovaloval:com.redhat.rhsa:tst:20170794001
        • commentquagga-contrib is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100945006
      • AND
        • commentquagga-devel is earlier than 0:0.99.15-14.el6
          ovaloval:com.redhat.rhsa:tst:20170794003
        • commentquagga-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100945004
      • AND
        • commentquagga is earlier than 0:0.99.15-14.el6
          ovaloval:com.redhat.rhsa:tst:20170794005
        • commentquagga is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20100945002
rhsa
idRHSA-2017:0794
released2017-03-21
severityModerate
titleRHSA-2017:0794: quagga security and bug fix update (Moderate)
rpms
  • quagga-0:0.99.15-14.el6
  • quagga-contrib-0:0.99.15-14.el6
  • quagga-debuginfo-0:0.99.15-14.el6
  • quagga-devel-0:0.99.15-14.el6