Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Apr 2016 18:34:09 +0300
From: Evgeny Uskov <eu@...tor.net>
To: oss-security@...ts.openwall.com
Cc: noc@...tor.net
Subject: CVE-2016-4049: Denial of Service Vulnerability in Quagga BGP Routing
 Daemon (bgpd)

Hello,

About 3 months ago we found the following vulnerability in BGP daemon
from Quagga routing software (bgpd): if the following conditions are
satisfied:
 - regular dumping is enabled
 - bgpd instance has many BGP peers
then BGP message packets that are big enough cause bgpd to crash.
The situation when the conditions above are satisfied is quite common.
Moreover, it is easy to craft a packet which is much "bigger" than a
typical packet, and hence such crafted packet can much more likely cause
the crash.

The reason of such behavior is as follows. The function
bgp_dump_routes_func in bgpd/bgp_dump.c does not perform any size checks
when writing data to bgp_dump_obuf. For each bgp_node table record it
tries to dump all data to bgp_dump_obuf stream which is of limited size.
If there is no free space in this stream, the assertion fails and bgpd
crashes.

The problem seems to be quite serious since it may occur if bgpd has
many BGP peers announcing the same prefix (e.g. if bgpd is used as BGP
reflector, on Internet Exchanges etc), and regular dumping is enabled.
In our case "many" was equal to 20.

The easiest way to reproduce the problem:
1) add 150 BGP neighbors announcing the same prefix
2) write "dump bgp routes-mrt bview.dat" command to the telnet console.

The easiest way to eliminate the problem is to create multiple MRT
records if there is too much data for a prefix. Please see the attached
file dump_fix.patch implementing such solution.

We contacted Quagga developers and sent them patches of this
vulnerability. They responded that they are going to apply these patches
in the next patching round:
 - https://lists.quagga.net/pipermail/quagga-dev/2016-January/014699.html
 - https://lists.quagga.net/pipermail/quagga-dev/2016-February/014743.html
However, the vulnerability is still not patched and it is unclear how
long to wait.

This issue has been assigned the name CVE-2016-4049.

--
| Evgeny Uskov  | HLL l QRATOR
| mob.: +7 916 319 33 20
| skype: evgeny_uskov
| mailto: eu@...tor.net
| visit: www.qrator.net


View attachment "dump_fix.patch" of type "text/x-patch" (6413 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.