Quagga Version 1.0.20161017 released with Security Fixes
Quagga 1.0.20161017 includes some important Security Fixes. See CVE-2016-1245 below.
This is the same 1.0.20160315 release just with the security fix. Compliance Results are online at our Compliance Page.
Here is the text of the CVE-2016-1245:
Security Advisory: Quagga Buffer Overflow in IPv6 RA handling
A buffer overflow exists in the IPv6 (Router Advertisement) code in Zebra. The issue can be triggered on an IPv6 address where the Quagga daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message. The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Document Version:
1.0
Posting date:
Oct 18, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbor-discovery on any interfaced enabled. Usage of Quagga without running the ‘zebra’ daemon, or no IPv6 neighbor-discovery are not affected.
Versions affected:
– All Versions of Quagga running on Linux
Versions not affected:
– All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
– Brocade 5400 vRouter – Not impacted.
– Brocade 5600 vRouter – Not impacted.
– BigSwitch Big Cloud Fabric code is not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement messages uses a wrong constant to limit its size. This does not affect *BSD systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux based systems.
For the exploit to work, the Quagga instance needs to be reachable over IPv6. Any interface with IPv6 enabled can trivially allow the ‘zebra’ daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbor Discovery turned off (see workaround), which is the default state.
Note: the neighbor discovery needs to be turned off on _ALL_ interfaces for this to workaround to apply (not just the connected or active interfaces).
The bug is in the ‘zebra’ daemon (the main daemon). Deployments that do not run the ‘zebra’ daemon (e.g. only running ‘bgpd’) are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the impact may be limited to a DoS, as the GCC inserted stack-check function epilogue should detect the overflow and safely abort the process if the bug is exploited. Otherwise, the bug may allow arbitrary code execution by a remote attacker.
Quagga supports running as a non-root user and with lowered privileges, using capabilities on Linux, and this is highly encouraged. On Linux distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and CAP_SYS_ADMIN.
CVSS v3 Base Score: 9.3
CVSS Equation:
For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit:
https://nvd.nist.gov/cvss/v3-calculator?vector=3DAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/E:F/RL:X/RC:C
Workarounds:
Disable IPv6 neighbor discovery announcements on all interfaces (“ipv6 nd suppress-ra” configured under all interfaces). Make sure to have it disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code exists.
Fixed Versions:
– Quagga 1.0.20161017 and later versions
Solution:
Upgrade to Quagga 1.0.20161017 or upgrade to latest GIT Master version or apply patches located at the URL below to your source code.
Quagga can be downloaded from the following location:
http://www.nongnu.org/quagga/ or https://github.com/Quagga/quagga
Patch (Commit) for security fix is at
https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546
Document Revision History:
1.0 22 September 2016 – Initial (internal) draft
1.1 18 October 2016 – CVE release version
Acknowledgments:
The issue was uncovered by David Lamparter at OpenSourceRouting.org
References:
* Do you have Questions? Questions regarding this advisory should go to
security (at) quagga.net or security (at) opensourcerouting.org