Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 30 Oct 2017 21:09:27 +0100
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: Quagga: CVE-2017-16227: BGP session termination due to rather long
 AS paths in update messages


The following issue in Quagga got assigned CVE-2017-16227:

It was discovered that the bgpd daemon in the Quagga routing suite does
not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

It was reported as in the Debian bugtracker, and
following up now here on oss-security. I'm going to fquote the detailed report:

> there is a longstanding bug in quagga where certain BGP update messages
> cause a quagga bgpd to drop a session, possibly resulting in loss of
> network connectivity.
> Details:
> Long paths in update messages are segmented in BGP, and the bug is in
> the recalculation of the framing information if there are more than two
> segments. The resulting data is invalid but will will be used for
> redistribution. At least if the receiver is another quagga bgpd, that
> message is rejected, eventually resulting in a BGP session termination.
> The receiver's log (if written) contains an error message like
> | BGP: BGP type 2 length 3074 is too large, attribute total length is 2069.  attr_endp is 0x562feb368121.  endp is 0x562feb367d2c
> then.
> So if a site's BGP peers all run quagga, that site will lose network
> connectivity due to frequent session termination. Additionally, the
> repeated initial full table transfer will result in a significantly
> bigger network load, I've seen around 1 MByte/sec/link, compared to
> usually less than one 1 kbyte/sec/link.
> Such extremely long AS paths have occured in the global BGP table at
> least four times since June. Last time started on Oct 13th around 20:43
> UTC and lasted until the following week.
> All versions of quagga in Debian are affected.
> How to fix:
> Kudos to Andreas Jaggi who identified the bug and provided a fix[1].
> After some hours of work I was able to reproduce the issue and can
> confirm this patch resolves the issues for all versions of quagga in
> Debian (wheezy, jessie, stretch = buster = sid). Details about the
> setup available upon request, it's just some stuff to write down.
> [1]


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.