SB2016040603 - Arbitrary code execution in quagga (Alpine package)
Published: April 6, 2016
Security Bulletin ID
SB2016040603
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Arbitrary code execution (CVE-ID: CVE-2016-2342)
CWE-ID: CWE-120 - Buffer overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote unauthenticatd user to cause arbitrary code execution on the target system.
The weakness is due to buffer overflow caused by improper validation of the upper-bound length of received Labeled-VPN SAFI routes data. To exploit the vulnerability attackers can send a specially crafted packets to the system.
Successful exploitation of the weakness results in arbitrary code execution or even denial of service on the vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=bd21f0c34fd699ed29fabb46e98b0ad0a522d5db
- https://git.alpinelinux.org/aports/commit/?id=c6a671a8d5628bd7226346d3df7acfbcc7a58973
- https://git.alpinelinux.org/aports/commit/?id=380236e60c820594a1e74395d31fb5ae19f913fc
- https://git.alpinelinux.org/aports/commit/?id=845087bdd853b2e584068d2b26ff698b29a1ce7b