Vigil@nce - Quagga: denial of service via ORF
June 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A malicious peer can send a BGP OPEN message with a malformed ORF
capability, in order to generate a denial of service in Quagga.
Severity: 2/4
Creation date: 04/06/2012
IMPACTED PRODUCTS
– Quagga Routing Suite
– SUSE Linux Enterprise Desktop
– SUSE Linux Enterprise Server
DESCRIPTION OF THE VULNERABILITY
The BGP ORF (Outbound Route Filtering, RFC 5291) feature can be
used to send to a peer a list of filters to apply on routes, in
order to block them upstream.
The BGP OPEN message is used when the session with a peer is
initialized. This message can contain capabilities indicating
supported features (RFC 5492).
The capability 3 indicates that ORF is supported, and contains one
AFI/SAFI (Address Family Identifier, Subsequent Address Family
Identifier) block.
However, when the BGP OPEN message has an ORF capability with
several blocks, the bgp_capability_orf_entry() function does not
correctly process the size of data. The Quagga daemon then tries
to read at an invalid memory address.
A malicious peer can therefore send a BGP OPEN message with a
malformed ORF capability, in order to generate a denial of service
in Quagga.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Quagga-denial-of-service-via-ORF-11672