-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi,
I have no idea why the CVE for the IPv6 SLAAC/Router-Adv was never
published. It's not even clear to me how this CVE was assigned. Despite
enquiries to one or two places. For the record (as it pertains to
Quagga):
- --------------------------------------------------------------------------
Quagga Buffer Overflow in IPv6 RA handling
A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Posting date:
Oct 17, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbour-discovery on any
interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or
no IPv6 neighbour-discovery are not affected.
Versions affected:
- Quagga versions running on Linux prior to Quagga 1.0.20161017
are not affected.
Versions not affected:
- All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size. This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.
For the exploit to work, the Quagga instance needs to be reachable over
IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbour Discovery turned off (see
workaround), which is the default state.
Note: the neighbour discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).
The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g. only running 'bgpd') are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited. Otherwise, the bug may allow arbitrary code execution by a
remote attacker.
Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged. On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
CAP_SYS_ADMIN.
Workarounds:
Disable IPv6 neighbour discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces). Make sure to have it
disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code
exists.
Fixed Versions:
Quagga 1.0.20161017
Solution:
Upgrade to Quagga 1.0.20161017 or later, or apply the relevant commits to
the Quagga 1.0.20161017 release. Quagga can be downloaded from the
following location:
http://www.nongnu.org/quagga/
The git source code can be accessed via:
http://code.quagga.net/
Acknowledgments:
The issue was uncovered by David Lamparter.
References:
* Questions regarding this advisory should go to
security@quagga.net
regards,
- --
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
it has Intel Inside
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCAA2BQJYjfRELxpodHRwczovL3d3dy5qYWttYS5vcmcvfnBhdWwvcGdw
X3BvbGljeS0xLjEudHh0AAoJEOFGbL/NtBuaqroP/1EToV30zGHHjM7t3MPRLbQ6
Dz44+DhzE8lyqvuAPFegnM+cNNBiy0+iGrzU6YJQ54twGHjnfdPCxGA8JGUDABYM
TzjRRfAlk6inAWxuN6EBNLRA07g3HSst7VXNFXOSaaCmDZV7rBt1uQfQIbgJKqYS
YNIFBO3x7AjVSD4+BqJs0z1CCajgbr7q8Q/9SmaFdPVTaf1CtgGbogUJ9a1RpIzr
yGJngkfXh+YbkiwuVLYdeFnBStTIxy4G4DP8Jg0SCqaoVSpRNCPpYyPXQoCX28CF
GTAfHJKDZ9UX288WPzb4o4hW7T/KUbIrH1EJ3vgzMakA94CG9l6L5krUw/Kl71gd
Othx3I/p8/oMVDuvhLr4ZKQHtnZD9un48RH1cmIFlviTn0rrDGRZLYtDLcH1m8mR
dISTcihwrelDQvP23BLCObLPB/un8sVs+8bvSR9spoTXMxDW9/JoQHfDo+D3y9Ex
Q0EZPdl+aYgiWgDH0jaHkKBOmRUbF8f6zMnQBKPZxiB4OBGvGeL6PRtqEO9H9AFe
lrdk38eynrsXHYNfIPpBzDyrYorLk8Y1wE+J0FsCpW1N7mPVGbM3bKLOQzhiPpsn
1RheqIZBRjtc7SR/B5b8Uidy9Zx2sVqNoSOlVUKvbzJikSHjPTjTUKlI0Aumr6DD
NI+eDqxsajUWKscKyHX/
=ugLu
-----END PGP SIGNATURE-----
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
Hash: SHA256
Hi,
I have no idea why the CVE for the IPv6 SLAAC/Router-Adv was never
published. It's not even clear to me how this CVE was assigned. Despite
enquiries to one or two places. For the record (as it pertains to
Quagga):
- --------------------------------------------------------------------------
Quagga Buffer Overflow in IPv6 RA handling
A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Posting date:
Oct 17, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbour-discovery on any
interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or
no IPv6 neighbour-discovery are not affected.
Versions affected:
- Quagga versions running on Linux prior to Quagga 1.0.20161017
are not affected.
Versions not affected:
- All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size. This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.
For the exploit to work, the Quagga instance needs to be reachable over
IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbour Discovery turned off (see
workaround), which is the default state.
Note: the neighbour discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).
The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g. only running 'bgpd') are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited. Otherwise, the bug may allow arbitrary code execution by a
remote attacker.
Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged. On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
CAP_SYS_ADMIN.
Workarounds:
Disable IPv6 neighbour discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces). Make sure to have it
disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code
exists.
Fixed Versions:
Quagga 1.0.20161017
Solution:
Upgrade to Quagga 1.0.20161017 or later, or apply the relevant commits to
the Quagga 1.0.20161017 release. Quagga can be downloaded from the
following location:
http://www.nongnu.org/quagga/
The git source code can be accessed via:
http://code.quagga.net/
Acknowledgments:
The issue was uncovered by David Lamparter.
References:
* Questions regarding this advisory should go to
security@quagga.net
regards,
- --
Paul Jakma | paul@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
it has Intel Inside
-----BEGIN PGP SIGNATURE-----
iQJMBAEBCAA2BQJYjfRELxpodHRwczovL3d3dy5qYWttYS5vcmcvfnBhdWwvcGdw
X3BvbGljeS0xLjEudHh0AAoJEOFGbL/NtBuaqroP/1EToV30zGHHjM7t3MPRLbQ6
Dz44+DhzE8lyqvuAPFegnM+cNNBiy0+iGrzU6YJQ54twGHjnfdPCxGA8JGUDABYM
TzjRRfAlk6inAWxuN6EBNLRA07g3HSst7VXNFXOSaaCmDZV7rBt1uQfQIbgJKqYS
YNIFBO3x7AjVSD4+BqJs0z1CCajgbr7q8Q/9SmaFdPVTaf1CtgGbogUJ9a1RpIzr
yGJngkfXh+YbkiwuVLYdeFnBStTIxy4G4DP8Jg0SCqaoVSpRNCPpYyPXQoCX28CF
GTAfHJKDZ9UX288WPzb4o4hW7T/KUbIrH1EJ3vgzMakA94CG9l6L5krUw/Kl71gd
Othx3I/p8/oMVDuvhLr4ZKQHtnZD9un48RH1cmIFlviTn0rrDGRZLYtDLcH1m8mR
dISTcihwrelDQvP23BLCObLPB/un8sVs+8bvSR9spoTXMxDW9/JoQHfDo+D3y9Ex
Q0EZPdl+aYgiWgDH0jaHkKBOmRUbF8f6zMnQBKPZxiB4OBGvGeL6PRtqEO9H9AFe
lrdk38eynrsXHYNfIPpBzDyrYorLk8Y1wE+J0FsCpW1N7mPVGbM3bKLOQzhiPpsn
1RheqIZBRjtc7SR/B5b8Uidy9Zx2sVqNoSOlVUKvbzJikSHjPTjTUKlI0Aumr6DD
NI+eDqxsajUWKscKyHX/
=ugLu
-----END PGP SIGNATURE-----
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev