[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Quagga: CVE-2017-16227: BGP session termination due to rather long AS paths in update
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2017-10-30 20:09:27
Message-ID: 20171030200927.pm3ypa3nomwgwq4h () eldamar ! local
[Download RAW message or body]
Hi
The following issue in Quagga got assigned CVE-2017-16227:
It was discovered that the bgpd daemon in the Quagga routing suite does
not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.
It was reported as https://bugs.debian.org/879474 in the Debian bugtracker, and
following up now here on oss-security. I'm going to fquote the detailed report:
> there is a longstanding bug in quagga where certain BGP update messages
> cause a quagga bgpd to drop a session, possibly resulting in loss of
> network connectivity.
>
>
> Details:
>
> Long paths in update messages are segmented in BGP, and the bug is in
> the recalculation of the framing information if there are more than two
> segments. The resulting data is invalid but will will be used for
> redistribution. At least if the receiver is another quagga bgpd, that
> message is rejected, eventually resulting in a BGP session termination.
>
> The receiver's log (if written) contains an error message like
> > BGP: 172.23.97.181: BGP type 2 length 3074 is too large, attribute total length is 2069. \
> > attr_endp is 0x562feb368121. endp is 0x562feb367d2c
> then.
>
> So if a site's BGP peers all run quagga, that site will lose network
> connectivity due to frequent session termination. Additionally, the
> repeated initial full table transfer will result in a significantly
> bigger network load, I've seen around 1 MByte/sec/link, compared to
> usually less than one 1 kbyte/sec/link.
>
> Such extremely long AS paths have occured in the global BGP table at
> least four times since June. Last time started on Oct 13th around 20:43
> UTC and lasted until the following week.
>
> All versions of quagga in Debian are affected.
>
>
> How to fix:
>
> Kudos to Andreas Jaggi who identified the bug and provided a fix[1].
> After some hours of work I was able to reproduce the issue and can
> confirm this patch resolves the issues for all versions of quagga in
> Debian (wheezy, jessie, stretch = buster = sid). Details about the
> setup available upon request, it's just some stuff to write down.
>
> [1] https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
> http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008
>
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic