[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Quagga: CVE-2017-16227: BGP session termination due to rather long AS paths in update
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-10-30 20:09:27
Message-ID: 20171030200927.pm3ypa3nomwgwq4h () eldamar ! local
[Download RAW message or body]

Hi

The following issue in Quagga got assigned CVE-2017-16227:

It was discovered that the bgpd daemon in the Quagga routing suite does
not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

It was reported as https://bugs.debian.org/879474 in the Debian bugtracker, and
following up now here on oss-security. I'm going to fquote the detailed report:

> there is a longstanding bug in quagga where certain BGP update messages
> cause a quagga bgpd to drop a session, possibly resulting in loss of
> network connectivity.
> 
> 
> Details:
> 
> Long paths in update messages are segmented in BGP, and the bug is in
> the recalculation of the framing information if there are more than two
> segments. The resulting data is invalid but will will be used for
> redistribution. At least if the receiver is another quagga bgpd, that
> message is rejected, eventually resulting in a BGP session termination.
> 
> The receiver's log (if written) contains an error message like
> > BGP: 172.23.97.181: BGP type 2 length 3074 is too large, attribute total length is 2069.  \
> > attr_endp is 0x562feb368121.  endp is 0x562feb367d2c
> then.
> 
> So if a site's BGP peers all run quagga, that site will lose network
> connectivity due to frequent session termination. Additionally, the
> repeated initial full table transfer will result in a significantly
> bigger network load, I've seen around 1 MByte/sec/link, compared to
> usually less than one 1 kbyte/sec/link.
> 
> Such extremely long AS paths have occured in the global BGP table at
> least four times since June. Last time started on Oct 13th around 20:43
> UTC and lasted until the following week.
> 
> All versions of quagga in Debian are affected.
> 
> 
> How to fix:
> 
> Kudos to Andreas Jaggi who identified the bug and provided a fix[1].
> After some hours of work I was able to reproduce the issue and can
> confirm this patch resolves the issues for all versions of quagga in
> Debian (wheezy, jessie, stretch = buster = sid). Details about the
> setup available upon request, it's just some stuff to write down.
> 
> [1] https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
> http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008
> 

Regards,
Salvatore


[prev in list] [next in list] [prev in thread] [next in thread]