|
|
|
|
| |
| Quagga is "a routing software suite. Quagga bgpd implements the BGP routing protocol". There are two vulnerabilities in the Quagga prodcut. In both vulnerabilies, the attacker must be a configured peer. |
| |
Credit:
The information has been provided by MuSecurity.
The original article can be found at: http://labs.musecurity.com/wp-content/uploads/2007/09/mu-200709-01.txt
|
| |
Vulnerable Systems:
* Quagga version 0.99.8
Immune Systems:
* Quagga version 0.99.9
Two issues have been discovered in Quagga:
* A BGP OPEN message with an invalid message length and a valid option parameters length (or vice versa) from a configured peer can cause a assertion failure in the stream library.
* An empty or malformed COMMUNITIES attribute in an UPDATE from a configured peer can cause a NULL pointer dereference when the attribute is printed if "debug bgp updates" is enabled.
Vendor Response / Solution:
Update to 0.99.9, available from http://www.quagga.net/
History:
August 29, 2007 - First contact with vendor
August 30, 2007 - Vendor acknowledges vulnerability
August 31, 2007 - Second issue reported
September 1, 2007 - Vendor acknowledges second vulnerability
September 7, 2007 - Vendor releases 0.99.9
September 12, 2007 - Advisory released
|
|
|
|
|
|
|
|
|
|
