Hi,
The text for CVE-2017-5495 submitted to MITRE:
CVE-2017-5495.
[Suggested description]
All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded
memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service
of Quagga daemons, or even the entire host.
When Quagga daemons are configured with their telnet CLI enabled, anyone
who can connect to the TCP ports can trigger this vulnerability, prior to
authentication. Most distributions restrict the Quagga telnet interface to
local access only by default.
The Quagga telnet interface 'vty' input buffer grows automatically, without
bound, so long as a newline is not entered. This allows an attacker to
cause the Quagga daemon to allocate unbounded memory by sending very long
strings without a newline. Eventually the daemon is terminated by the
system, or the system itself runs out of memory.
------------------------------------------
[VulnerabilityType Other]
Unlimited buffer growth without authentication
------------------------------------------
[Additional Information]
Fixed in Quagga 1.1.1
------------------------------------------
[Vendor of Product]
Quagga Routing Software Suite
------------------------------------------
[Affected Product Code Base]
Quagga routing daemons via VTY - 0.93 to 1.1.0.
------------------------------------------
[Affected Component]
VTY interface for all daemons: zebra, ripd, ripngd, ospfd, bgpd,
ospf6d, isisd, pimd, ldpd. Through the source file lib/vty.c
------------------------------------------
[Attack Type]
Remote.
Local, where the telnet interface is configured to listen only to
localhost, which is the default on distributions such as Debian, CentOS,
Fedora and RHEL.
None where the telnet interface has been disabled.
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
Memory exhaustion by sending large buffers of ASCII data without newlines
to one or more of TCP ports 2601-2608,2611, and 2612 (routing daemon
VTY ports). No authentication is required.
------------------------------------------
[Reference]
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Quentin Young <qlyoung@cumulusnetworks.com>
regards,
--
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
Mountain Dew and doughnuts... because breakfast is the most important meal
of the day.
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
The text for CVE-2017-5495 submitted to MITRE:
CVE-2017-5495.
[Suggested description]
All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded
memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service
of Quagga daemons, or even the entire host.
When Quagga daemons are configured with their telnet CLI enabled, anyone
who can connect to the TCP ports can trigger this vulnerability, prior to
authentication. Most distributions restrict the Quagga telnet interface to
local access only by default.
The Quagga telnet interface 'vty' input buffer grows automatically, without
bound, so long as a newline is not entered. This allows an attacker to
cause the Quagga daemon to allocate unbounded memory by sending very long
strings without a newline. Eventually the daemon is terminated by the
system, or the system itself runs out of memory.
------------------------------------------
[VulnerabilityType Other]
Unlimited buffer growth without authentication
------------------------------------------
[Additional Information]
Fixed in Quagga 1.1.1
------------------------------------------
[Vendor of Product]
Quagga Routing Software Suite
------------------------------------------
[Affected Product Code Base]
Quagga routing daemons via VTY - 0.93 to 1.1.0.
------------------------------------------
[Affected Component]
VTY interface for all daemons: zebra, ripd, ripngd, ospfd, bgpd,
ospf6d, isisd, pimd, ldpd. Through the source file lib/vty.c
------------------------------------------
[Attack Type]
Remote.
Local, where the telnet interface is configured to listen only to
localhost, which is the default on distributions such as Debian, CentOS,
Fedora and RHEL.
None where the telnet interface has been disabled.
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
Memory exhaustion by sending large buffers of ASCII data without newlines
to one or more of TCP ports 2601-2608,2611, and 2612 (routing daemon
VTY ports). No authentication is required.
------------------------------------------
[Reference]
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Quentin Young <qlyoung@cumulusnetworks.com>
regards,
--
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
Mountain Dew and doughnuts... because breakfast is the most important meal
of the day.
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev