[prev in list] [next in list] [prev in thread] [next in thread]
List: quagga-dev
Subject: [quagga-dev 11530] Security Update: Multi-Router Looking Glass (MRLG)
From: John Fraizer <john () op-sec ! us>
Date: 2014-09-28 3:47:10
Message-ID: CALxrgMGQMMDSqGJGWOPajQmg_1883THK-eABNAQJhM7gpgiZUg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I was contacted by Luca Bruno a couple of months ago regarding the
fastping.c utility that has been included with the MRLG code I wrote for
the past 14 years. It seems that fastping.c is vulnerable to a crafted
attack that can cause remote memory overwrite/corruption.
The fastping.c utility was only used by MRLG in the outside chance that the
"router" in question was Zebra/Quagga. Based on Google results, this is a
very minuscule minority of installations that utilize MRLG.
I was OCONUS with limited connectivity when Luca contacted me, in addition
to being up to my eyeballs dealing with a Southeast Asia network redesign.
Last night, I had some downtime and was able to put together a (superior?)
replacement for fastping.c that utilizes the existing ping utility on the
MRLG host system while emulating the Cisco IOS ping facility.
I have released MRLG 5.5.0 as of Sat Sep 27 03:16:28 UTC 2014. It is a
(nearly) drop-in replacement for all previous versions of MRLG that
addresses the issue that Luca Bruno and Mariano Graziano brought to light
in CVE-2014-3931. See: http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt
The latest MRLG (5.5.0) is available at http://mrlg.op-sec.us/
I know that the details of this CVE was published at:
http://mailman.nanog.org/pipermail/nanog/2014-July/068014.html and
http://www.s3.eurecom.fr/lg/defcon_looking-glass.pdf
http://vrt-blog.snort.org/2014/09/looking-glasses-with-bacon.html
http://tools.cisco.com/security/center/viewAlert.x?alertId=35693
https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-Updated.pdf
https://www.usenix.org/system/files/conference/woot14/woot14-bruno.pdf
There are likely many other locations at which CVE-2014-3931 is detailed.
I ask that the Quagga community make it known - via whatever channels -
that this vulnerability has been addressed and mitigated and that you
please point folks to http://mrlg.op-sec.us/ for the latest code. If you
are running ANY previous version of my code, you are strongly advised to
upgrade!
Additionally, the mrlg.cgi that is included in the /tools directory of
Quagga releases is sorely out of date. It's over 14 years old! It's
actually a version I wrote prior to "officially" releasing MRLG. While I
appreciate the trip down memory lane whenever I look at the code, it would
be a very good idea to replace it with the latest code.
Many thanks!
--
John Fraizer
ΥΣΜΧ
[Attachment #5 (text/html)]
<div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px">I was \
contacted by Luca Bruno a couple of months ago regarding the fastping.c utility that \
has been included with the MRLG code I wrote for the past 14 years. It seems that \
fastping.c is vulnerable to a crafted attack that can cause remote memory \
overwrite/corruption. <br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">The fastping.c utility was only \
used by MRLG in the outside chance that the "router" in question was \
Zebra/Quagga. Based on Google results, this is a very minuscule minority of \
installations that utilize MRLG. </div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">I was OCONUS with limited \
connectivity when Luca contacted me, in addition to being up to my eyeballs dealing \
with a Southeast Asia network redesign.<br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">Last night, I had some downtime \
and was able to put together a (superior?) replacement for fastping.c that utilizes \
the existing ping utility on the MRLG host system while emulating the Cisco IOS ping \
facility.</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">I have released MRLG 5.5.0 as of \
Sat Sep 27 03:16:28 UTC 2014. It is a (nearly) drop-in replacement for all previous \
versions of MRLG that addresses the issue that Luca Bruno and Mariano Graziano \
brought to light in CVE-2014-3931. See: <a \
href="http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt" \
target="_blank">http://www.s3.eurecom.fr/cve/CVE-2014-3931.txt</a></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">The latest MRLG (5.5.0) is \
available at <a href="http://mrlg.op-sec.us/" \
target="_blank">http://mrlg.op-sec.us/</a></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">I know that the details of this \
CVE was published at:</div><div \
style="font-family:arial,sans-serif;font-size:13px"><a \
href="http://mailman.nanog.org/pipermail/nanog/2014-July/068014.html" \
target="_blank">http://mailman.nanog.org/pipermail/nanog/2014-July/068014.html</a> \
and </div><div style="font-family:arial,sans-serif;font-size:13px"><a \
href="http://www.s3.eurecom.fr/lg/defcon_looking-glass.pdf" \
target="_blank">http://www.s3.eurecom.fr/lg/defcon_looking-glass.pdf</a><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><a \
href="http://vrt-blog.snort.org/2014/09/looking-glasses-with-bacon.html" \
target="_blank">http://vrt-blog.snort.org/2014/09/looking-glasses-with-bacon.html</a><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><a \
href="http://tools.cisco.com/security/center/viewAlert.x?alertId=35693" \
target="_blank">http://tools.cisco.com/security/center/viewAlert.x?alertId=35693</a><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><a \
href="https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graziano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-Updated.pdf" \
target="_blank">https://www.defcon.org/images/defcon-22/dc-22-presentations/Bruno-Graz \
iano/DEFCON-22-Luca-Bruno-Mariano-Graziano-looking-glass-Updated.pdf</a><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><a \
href="https://www.usenix.org/system/files/conference/woot14/woot14-bruno.pdf" \
target="_blank">https://www.usenix.org/system/files/conference/woot14/woot14-bruno.pdf</a><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">There are likely many other \
locations at which CVE-2014-3931 is detailed.</div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">I ask that the Quagga community \
make it known - via whatever channels - that this vulnerability has been addressed \
and mitigated and that you please point folks to <a href="http://mrlg.op-sec.us/" \
target="_blank">http://mrlg.op-sec.us/</a> for the latest code. If you are running \
ANY previous version of my code, you are strongly advised to upgrade!</div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">Additionally, the mrlg.cgi that \
is included in the /tools directory of Quagga releases is sorely out of date. \
It's over 14 years old! It's actually a version I wrote prior to \
"officially" releasing MRLG. While I appreciate the trip down memory lane \
whenever I look at the code, it would be a very good idea to replace it with the \
latest code.</div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px">Many thanks!</div><div \
class="gmail_extra" style="font-family:arial,sans-serif;font-size:13px"><br></div><div \
style="font-family:arial,sans-serif;font-size:13px"><div>--</div>John \
Fraizer<div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12 \
px;line-height:12px;background-color:rgb(244,244,244)">ΥΣΜΧ</span></div></div><div \
class="gmail_extra"><br></div></div>
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic