Date: Wed, 27 Apr 2016 18:34:09 +0300 From: Evgeny Uskov <eu@...tor.net> To: oss-security@...ts.openwall.com Cc: noc@...tor.net Subject: CVE-2016-4049: Denial of Service Vulnerability in Quagga BGP Routing Daemon (bgpd) Hello, About 3 months ago we found the following vulnerability in BGP daemon from Quagga routing software (bgpd): if the following conditions are satisfied: - regular dumping is enabled - bgpd instance has many BGP peers then BGP message packets that are big enough cause bgpd to crash. The situation when the conditions above are satisfied is quite common. Moreover, it is easy to craft a packet which is much "bigger" than a typical packet, and hence such crafted packet can much more likely cause the crash. The reason of such behavior is as follows. The function bgp_dump_routes_func in bgpd/bgp_dump.c does not perform any size checks when writing data to bgp_dump_obuf. For each bgp_node table record it tries to dump all data to bgp_dump_obuf stream which is of limited size. If there is no free space in this stream, the assertion fails and bgpd crashes. The problem seems to be quite serious since it may occur if bgpd has many BGP peers announcing the same prefix (e.g. if bgpd is used as BGP reflector, on Internet Exchanges etc), and regular dumping is enabled. In our case "many" was equal to 20. The easiest way to reproduce the problem: 1) add 150 BGP neighbors announcing the same prefix 2) write "dump bgp routes-mrt bview.dat" command to the telnet console. The easiest way to eliminate the problem is to create multiple MRT records if there is too much data for a prefix. Please see the attached file dump_fix.patch implementing such solution. We contacted Quagga developers and sent them patches of this vulnerability. They responded that they are going to apply these patches in the next patching round: - https://lists.quagga.net/pipermail/quagga-dev/2016-January/014699.html - https://lists.quagga.net/pipermail/quagga-dev/2016-February/014743.html However, the vulnerability is still not patched and it is unclear how long to wait. This issue has been assigned the name CVE-2016-4049. -- | Evgeny Uskov | HLL l QRATOR | mob.: +7 916 319 33 20 | skype: evgeny_uskov | mailto: eu@...tor.net | visit: www.qrator.net View attachment "dump_fix.patch" of type "text/x-patch" (6413 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ