[quagga-dev 16560] CVE-2017-5495 text

Paul Jakma paul at jakma.org
Tue Jan 24 16:42:21 GMT 2017


Hi,

The text for CVE-2017-5495 submitted to MITRE:

CVE-2017-5495.

  [Suggested description]

  All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded
  memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service
  of Quagga daemons, or even the entire host.

  When Quagga daemons are configured with their telnet CLI enabled, anyone
  who can connect to the TCP ports can trigger this vulnerability, prior to
  authentication.  Most distributions restrict the Quagga telnet interface to
  local access only by default.

  The Quagga telnet interface 'vty' input buffer grows automatically, without
  bound, so long as a newline is not entered.  This allows an attacker to
  cause the Quagga daemon to allocate unbounded memory by sending very long
  strings without a newline.  Eventually the daemon is terminated by the
  system, or the system itself runs out of memory.

  ------------------------------------------

  [VulnerabilityType Other]
  Unlimited buffer growth without authentication

  ------------------------------------------

  [Additional Information]
  Fixed in Quagga 1.1.1

  ------------------------------------------

  [Vendor of Product]
  Quagga Routing Software Suite

  ------------------------------------------

  [Affected Product Code Base]
  Quagga routing daemons via VTY - 0.93 to 1.1.0.

  ------------------------------------------

  [Affected Component]
  VTY interface for all daemons: zebra, ripd, ripngd, ospfd, bgpd,
  ospf6d, isisd, pimd, ldpd. Through the source file lib/vty.c

  ------------------------------------------

  [Attack Type]
  Remote.

  Local, where the telnet interface is configured to listen only to
  localhost, which is the default on distributions such as Debian, CentOS,
  Fedora and RHEL.

  None where the telnet interface has been disabled.

  ------------------------------------------

  [Impact Denial of Service]
  true

  ------------------------------------------

  [Attack Vectors]
  Memory exhaustion by sending large buffers of ASCII data without newlines
  to one or more of TCP ports 2601-2608,2611, and 2612 (routing daemon
  VTY ports). No authentication is required.

  ------------------------------------------

  [Reference]

  ------------------------------------------

  [Has vendor confirmed or acknowledged the vulnerability?]
  true

  ------------------------------------------

  [Discoverer]
  Quentin Young <qlyoung at cumulusnetworks.com>


regards,
-- 
Paul Jakma | paul at jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
Mountain Dew and doughnuts...  because breakfast is the most important meal
of the day.



More information about the Quagga-dev mailing list