==================================================================== CERT-Renater Note d'Information No. 2018/VULN056 _____________________________________________________________________ DATE : 19/02/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Quagga versions prior to 1.2.3. ===================================================================== https://www.quagga.net/security/Quagga-2018-1114.txt _____________________________________________________________________ Quagga Security Note 2018-1114 ============================== https://www.quagga.net/security/Quagga-2018-1114.txt Affects: -------- - Likely to affect all versions of Quagga Summary ------- The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. Impact ------ Potentially severe. This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along. This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message. This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process. Solution -------- Upgrade to Quagga 1.2.3, or any other version with the appropriate patch applied, entitled: "bgpd/security: Fix double free of unknown attribute" Description ------------ The issue is a double-free in bgp_attr_flush called from bgp_packet.c:bgp_update_receive. This can be triggered by a variety of BGP UPDATE messages, containing either a "CLUSTER_LIST" attribute (used in iBGP route-reflection) or an unknown attribute. An unrecognised optional/transitive UPDATE attribute should be passed along by conforming BGP speakers, if the attribute is otherwise well-formed. Therefore this issue potentially can be triggered across a number of Quagga bgpd speakers, over a wide area of a network, by one BGP speaker sending an UPDATE. Once this issue has been triggered the behaviour of bgpd is undefined. The internal state of the memory allocator may become corrupted, unless it has been designed to be robust to the double-free. The memory allocator may catch the issue and crash the bgpd process in a controlled manner, otherwise bgpd process could continue to run with invalid memory allocation state. It is possible an attacker could exploit the corrupted allocator state to gain control of the bgpd process. E.g., if the allocator stores the incorrectly double-freed memory twice on its internal free-list, then the allocator could return the same memory twice in further calls of malloc, and the attacker might be able to control the operation of one part of bgpd with data they supply that is stored in another. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================