So for the complains on not getting heads-up notification for some Distros:


We had some mis-communication on the Quagga-Security list on how to get
this released.
I wanted to give all the proper heads-up notifications.

This email is mainly a followup after Paul sent the release announcement
(on the quagga-devel list) with all the details visible in Git.
After this was out, I did not want to hold back the CVE as it was
now public visible.

   Martin Winter

On 17 Oct 2016, at 22:56, Martin Winter wrote:

> Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
> =============================================================
> A buffer overflow exists in the IPv6 (Router Advertisement) code in
> Zebra. The issue can be triggered on an IPv6 address where the Quagga
> daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
> The issue leads to a crash of the zebra daemon.
> CVE:
> CVE-2016-1245
> Document Version:
> 1.0
> Posting date:
> Oct 18, 2016
> Program Impacted:
> Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbor-discovery on any
> interfaced enabled.  Usage of Quagga without running the 'zebra' daemon, or no
> IPv6 neighbor-discovery are not affected.
> Versions affected:
>    - All Versions of Quagga running on Linux
> Versions not affected:
>    - All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not 
> affected.
>    - Brocade 5400 vRouter - Not impacted.
>    - Brocade 5600 vRouter - Not impacted.
>    - BigSwitch Big Cloud Fabric code is not affected.
> Severity:
> High
> Exploitable:
> Remotely.
> Description:
> A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
> which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
> messages uses a wrong constant to limit its size.  This does not affect *BSD
> systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
> based systems.
> For the exploit to work, the Quagga instance needs to be reachable over
> IPv6.  Any interface with IPv6 enabled can trivially allow the 'zebra'
> daemon to be crashed (Denial-of-Service) via a buffer overflow.  The issue
> can be avoided by having the IPv6 Neighbor Discovery turned off (see
> workaround), which is the default state.
> Note: the neighbor discovery needs to be turned off on _ALL_ interfaces for
> this to workaround to apply (not just the connected or active interfaces).
> The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
> run the 'zebra' daemon (e.g.  only running 'bgpd') are not affected.
> On Linux distributions which compile Quagga with GCC -fstack-protector, the
> impact may be limited to a DoS, as the GCC inserted stack-check function
> epilogue should detect the overflow and safely abort the process if the bug
> is exploited.  Otherwise, the bug may allow arbitrary code execution by a
> remote attacker.
> Quagga supports running as a non-root user and with lowered privileges,
> using capabilities on Linux, and this is highly encouraged.  On Linux
> distributions which configure Quagga to run this way, any exploit code will
> be limited to a non-root environment, with 0 effective capabilities. The
> acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
> CVSS v3 Base Score: 9.3
> CVSS Equation:
> For more information on the Common Vulnerability Scoring System and to
> obtain your specific environmental score please visit:
> Workarounds:
> Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd
> suppress-ra" configured under all interfaces).  Make sure to have it
> disabled on ALL interfaces.
> Active exploits:
> None known in the public at this time. Internal Proof-of-Concept code
> exists.
> Fixed Versions:
> Solution:
> Upgrade to Quagga 1.0.20161017 or upgrade to latest GIT Master version or
> apply patches located at the URL below to your source code.
> Quagga can be downloaded from the following location:
> or
> Patch (Commit) for security fix is at
> Document Revision History:
> 1.0  22 September 2016 - Initial (internal) draft
> 1.1  18 October 2016   - CVE release version
> Acknowledgments:
> The issue was uncovered by David Lamparter at
> References:
> * Do you have Questions? Questions regarding this advisory should go to
> or

Attachment: signature.asc
Description: OpenPGP digital signature

Quagga-dev mailing list

Reply via email to