#VU10654 Denial of service in Quagga


Published: 2018-02-19

Vulnerability identifier: #VU10654

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-16227

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quagga
Server applications / Other server solutions

Vendor: quagga.net

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Quagga BGP daemon due to AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message. A remote attacker can іsupply specially crafted BGP UPDATE messages and cause session drop.

Mitigation
Update to version 1.2.2.

Vulnerable software versions

Quagga: 1.0.20160309 - 1.2.1

External links
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for quagga
SUSE Linux update for quagga
SUSE Linux update for quagga
SUSE Linux update for quagga
Arch Linux update for quagga
Denial of service in quagga (Alpine package)
Debian update for quagga
Ubuntu update for Quagga