vulnerability announce CVE-2012-1820

Quagga: denial of service via ORF

Synthesis of the vulnerability

A malicious peer can send a BGP OPEN message with a malformed ORF capability, in order to generate a denial of service in Quagga.
Impacted products: Debian, Fedora, MBS, Solaris, Quagga, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Creation date: 04/06/2012.
Identifiers: BID-53775, CVE-2012-1820, DSA-2497-1, FEDORA-2012-9103, FEDORA-2012-9116, FEDORA-2012-9117, MDVSA-2013:122, RHSA-2012:1259-01, SUSE-SU-2012:0706-1, VIGILANCE-VUL-11672, VU#962587.

Description of the vulnerability

The BGP ORF (Outbound Route Filtering, RFC 5291) feature can be used to send to a peer a list of filters to apply on routes, in order to block them upstream.

The BGP OPEN message is used when the session with a peer is initialized. This message can contain capabilities indicating supported features (RFC 5492).

The capability 3 indicates that ORF is supported, and contains one AFI/SAFI (Address Family Identifier, Subsequent Address Family Identifier) block.

However, when the BGP OPEN message has an ORF capability with several blocks, the bgp_capability_orf_entry() function does not correctly process the size of data. The Quagga daemon then tries to read at an invalid memory address.

A malicious peer can therefore send a BGP OPEN message with a malformed ORF capability, in order to generate a denial of service in Quagga.
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

          

Computer vulnerabilities tracking service

Vigil@nce provides system vulnerability analysis. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.