Input validation error in Quagga

#VU33865 Input validation error in Quagga

Published: 2013-12-14 | Updated: 2020-08-04

Vulnerability identifier: #VU33865

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-6051

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quagga
Server applications / Other server solutions

Vendor: quagga.net

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Quagga: 0.99.21

External links
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=730513
http://git.savannah.gnu.org/gitweb/?p=quagga.git;a=commitdiff;h=8794e8d229dc9fe29ea31424883433d4880ef408
http://www.debian.org/security/2013/dsa-2803

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for quagga

Input validation error in quagga.net Quagga

Input validation error in quagga (Alpine package)