So for the complains on not getting heads-up notification for some Distros:
Sorry. We had some mis-communication on the Quagga-Security list on how to get this released. I wanted to give all the proper heads-up notifications. This email is mainly a followup after Paul sent the release announcement (on the quagga-devel list) with all the details visible in Git. After this was out, I did not want to hold back the CVE as it was now public visible. Regards, Martin Winter On 17 Oct 2016, at 22:56, Martin Winter wrote: > Security Advisory: Quagga Buffer Overflow in IPv6 RA handling > ============================================================= > > A buffer overflow exists in the IPv6 (Router Advertisement) code in > Zebra. The issue can be triggered on an IPv6 address where the Quagga > daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message. > The issue leads to a crash of the zebra daemon. > > CVE: > CVE-2016-1245 > > Document Version: > 1.0 > > Posting date: > Oct 18, 2016 > > Program Impacted: > Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbor-discovery on any > interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or no > IPv6 neighbor-discovery are not affected. > > Versions affected: > - All Versions of Quagga running on Linux > > Versions not affected: > - All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not > affected. > - Brocade 5400 vRouter - Not impacted. > - Brocade 5600 vRouter - Not impacted. > - BigSwitch Big Cloud Fabric code is not affected. > > Severity: > High > > Exploitable: > Remotely. > > Description: > A buffer overflow exists in the IPv6 (Router Advertisement) code. The code > which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement > messages uses a wrong constant to limit its size. This does not affect *BSD > systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux > based systems. > > For the exploit to work, the Quagga instance needs to be reachable over > IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra' > daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue > can be avoided by having the IPv6 Neighbor Discovery turned off (see > workaround), which is the default state. > > Note: the neighbor discovery needs to be turned off on _ALL_ interfaces for > this to workaround to apply (not just the connected or active interfaces). > > The bug is in the 'zebra' daemon (the main daemon). Deployments that do not > run the 'zebra' daemon (e.g. only running 'bgpd') are not affected. > > On Linux distributions which compile Quagga with GCC -fstack-protector, the > impact may be limited to a DoS, as the GCC inserted stack-check function > epilogue should detect the overflow and safely abort the process if the bug > is exploited. Otherwise, the bug may allow arbitrary code execution by a > remote attacker. > > Quagga supports running as a non-root user and with lowered privileges, > using capabilities on Linux, and this is highly encouraged. On Linux > distributions which configure Quagga to run this way, any exploit code will > be limited to a non-root environment, with 0 effective capabilities. The > acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and > CAP_SYS_ADMIN. > > CVSS v3 Base Score: 9.3 > > CVSS Equation: > For more information on the Common Vulnerability Scoring System and to > obtain your specific environmental score please visit: > https://nvd.nist.gov/cvss/v3-calculator?vector=3DAV:N/AC:L/PR:N/UI:N/S:U/ > C:N/I:H/A:H/E:F/RL:X/RC:C > > Workarounds: > Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd > suppress-ra" configured under all interfaces). Make sure to have it > disabled on ALL interfaces. > > Active exploits: > None known in the public at this time. Internal Proof-of-Concept code > exists. > > Fixed Versions: > TBD > > Solution: > Upgrade to Quagga 1.0.20161017 or upgrade to latest GIT Master version or > apply patches located at the URL below to your source code. > > Quagga can be downloaded from the following location: > http://www.nongnu.org/quagga/ or https://github.com/Quagga/quagga > > Patch (Commit) for security fix is at > https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546 > > Document Revision History: > 1.0 22 September 2016 - Initial (internal) draft > 1.1 18 October 2016 - CVE release version > > Acknowledgments: > The issue was uncovered by David Lamparter at OpenSourceRouting.org > > References: > * Do you have Questions? Questions regarding this advisory should go to > secur...@quagga.net or secur...@opensourcerouting.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Quagga-users mailing list Quagga-users@lists.quagga.net https://lists.quagga.net/mailman/listinfo/quagga-users
