Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
=============================================================
A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Document Version:
1.0
Posting date:
Oct 18, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbor-discovery on any
interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or no
IPv6 neighbor-discovery are not affected.
Versions affected:
- All Versions of Quagga running on Linux
Versions not affected:
- All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
- Brocade 5400 vRouter - Not impacted.
- Brocade 5600 vRouter - Not impacted.
- BigSwitch Big Cloud Fabric code is not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size. This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.
For the exploit to work, the Quagga instance needs to be reachable over
IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbor Discovery turned off (see
workaround), which is the default state.
Note: the neighbor discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).
The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g. only running 'bgpd') are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited. Otherwise, the bug may allow arbitrary code execution by a
remote attacker.
Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged. On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
CAP_SYS_ADMIN.
CVSS v3 Base Score: 9.3
CVSS Equation:
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
https://nvd.nist.gov/cvss/v3-calculator?vector=3DAV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:H/A:H/E:F/RL:X/RC:C
Workarounds:
Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces). Make sure to have it
disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code
exists.
Fixed Versions:
TBD
Solution:
Upgrade to Quagga 1.0.20161017 or upgrade to latest GIT Master version or
apply patches located at the URL below to your source code.
Quagga can be downloaded from the following location:
http://www.nongnu.org/quagga/ or https://github.com/Quagga/quagga
Patch (Commit) for security fix is at
https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
Document Revision History:
1.0 22 September 2016 - Initial (internal) draft
1.1 18 October 2016 - CVE release version
Acknowledgments:
The issue was uncovered by David Lamparter at OpenSourceRouting.org
References:
* Do you have Questions? Questions regarding this advisory should go to
security@quagga.net or security@opensourcerouting.org
=============================================================
A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Document Version:
1.0
Posting date:
Oct 18, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbor-discovery on any
interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or no
IPv6 neighbor-discovery are not affected.
Versions affected:
- All Versions of Quagga running on Linux
Versions not affected:
- All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
- Brocade 5400 vRouter - Not impacted.
- Brocade 5600 vRouter - Not impacted.
- BigSwitch Big Cloud Fabric code is not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size. This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.
For the exploit to work, the Quagga instance needs to be reachable over
IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbor Discovery turned off (see
workaround), which is the default state.
Note: the neighbor discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).
The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g. only running 'bgpd') are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited. Otherwise, the bug may allow arbitrary code execution by a
remote attacker.
Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged. On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
CAP_SYS_ADMIN.
CVSS v3 Base Score: 9.3
CVSS Equation:
For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit:
https://nvd.nist.gov/cvss/v3-calculator?vector=3DAV:N/AC:L/PR:N/UI:N/S:U/
C:N/I:H/A:H/E:F/RL:X/RC:C
Workarounds:
Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces). Make sure to have it
disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code
exists.
Fixed Versions:
TBD
Solution:
Upgrade to Quagga 1.0.20161017 or upgrade to latest GIT Master version or
apply patches located at the URL below to your source code.
Quagga can be downloaded from the following location:
http://www.nongnu.org/quagga/ or https://github.com/Quagga/quagga
Patch (Commit) for security fix is at
https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
Document Revision History:
1.0 22 September 2016 - Initial (internal) draft
1.1 18 October 2016 - CVE release version
Acknowledgments:
The issue was uncovered by David Lamparter at OpenSourceRouting.org
References:
* Do you have Questions? Questions regarding this advisory should go to
security@quagga.net or security@opensourcerouting.org
Attached Files:
-
signature.asc (0.82 KB)