#VU10615 Memory corruption in Quagga


Published: 2018-02-16 | Updated: 2018-02-19

Vulnerability identifier: #VU10615

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5495

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quagga
Server applications / Other server solutions

Vendor: quagga.net

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unbounded memory allocation in the telnet 'vty' CLI. A remote attacker able to connect to the TCP ports can  send very long strings without a newline, cause the Quagga daemon to allocate unbounded memory and system crash.

Mitigation
Update to version 1.1.

Vulnerable software versions

Quagga: 1.0.20160309 - 1.1.0

External links
http://savannah.nongnu.org/forum/forum.php?forum_id=8783

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Quagga
Debian update for quagga
Ubuntu update for Quagga
SUSE Linux update for quagga
SUSE Linux update for quagga
SUSE Linux update for quagga
Ubuntu update for Quagga
SUSE Linux update for quagga
Memory corruption in quagga (Alpine package)