[quagga-users 14444] Quagga CVE Released: CVE-2016-1245 (Fix in latest 1.0.20161017 release)

Martin Winter mwinter at opensourcerouting.org
Tue Oct 18 06:56:32 BST 2016

Security Advisory: Quagga Buffer Overflow in IPv6 RA handling

A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.


Document Version:

Posting date:
Oct 18, 2016

Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbor-discovery on any
interfaced enabled.  Usage of Quagga without running the 'zebra' daemon, or no
IPv6 neighbor-discovery are not affected.

Versions affected:
   - All Versions of Quagga running on Linux

Versions not affected:
   - All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
   - Brocade 5400 vRouter - Not impacted.
   - Brocade 5600 vRouter - Not impacted.
   - BigSwitch Big Cloud Fabric code is not affected.



A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size.  This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.

For the exploit to work, the Quagga instance needs to be reachable over
IPv6.  Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow.  The issue
can be avoided by having the IPv6 Neighbor Discovery turned off (see
workaround), which is the default state.

Note: the neighbor discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).

The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g.  only running 'bgpd') are not affected.

On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited.  Otherwise, the bug may allow arbitrary code execution by a
remote attacker.

Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged.  On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and

CVSS v3 Base Score: 9.3

CVSS Equation:
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:

Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces).  Make sure to have it
disabled on ALL interfaces.

Active exploits:
None known in the public at this time. Internal Proof-of-Concept code

Fixed Versions:

Upgrade to Quagga 1.0.20161017 or upgrade to latest GIT Master version or
apply patches located at the URL below to your source code.

Quagga can be downloaded from the following location:
http://www.nongnu.org/quagga/ or https://github.com/Quagga/quagga

Patch (Commit) for security fix is at

Document Revision History:
1.0  22 September 2016 - Initial (internal) draft
1.1  18 October 2016   - CVE release version

The issue was uncovered by David Lamparter at OpenSourceRouting.org

* Do you have Questions? Questions regarding this advisory should go to
security at quagga.net or security at opensourcerouting.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
URL: <http://lists.quagga.net/pipermail/quagga-users/attachments/20161017/e650683a/attachment.sig>

More information about the Quagga-users mailing list