A remote DoS condition exists in Zebra and/or Quagga when layer 3 access is possible to the telnet management port (2601/tcp or 2605/bgpd). The vulnerability can be recreated by sending a telnet option delimiter with no actual option data. This will cause a bad memory call and SIGSEV.
Vulnerable systems:
* GNU Zebra and all versions of Quagga prior to 0.96.4
Workaround:
Restrict access to daemon's telnet CLI, by either configuring each daemon's vty with an appropriate access-class and access-list, or by some external firewalling application.
Alternatively, disable external vty access completely by removing the vty password (and restarting) or passing the '-P 0' parameters to the daemon.
Steps to Reproduce:
1. Run Zebra on a machine.
2. From another machine run: printf '\xff\xf0\xff\xf0\xff\xf0' | nc <zebra-host> 2601
3. Zebra dies.
Solution:
Quagga version 0.96.4 contains a fix for this bug. Alternatively, one can manually apply the fix to whichever sources one uses currently. See the RedHat Bugzilla entry referenced for the fix http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107140.
