Bug 1386109 (CVE-2016-1245)

Summary: CVE-2016-1245 quagga: Buffer Overflow in IPv6 RA handling
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: balajig81, fweimer, mruprich, msekleta, vincent.jardin
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Quagga 1.0.20161017 Doc Type: If docs needed, set a value
Doc Text:
A stack-based buffer overflow flaw was found in the way Quagga handled IPv6 router advertisement messages. A remote attacker could use this flaw to crash the zebra daemon resulting in denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:00:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1386110, 1391914    
Bug Blocks: 1386080, 1386111    

Description Andrej Nemec 2016-10-18 07:58:56 UTC 
A buffer overflow exists in the IPv6 (Router Advertisement) code in Zebra. The issue can be triggered on an IPv6 address where the Quagga daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message. The issue leads to a crash of the zebra daemon. In specific circumstances this vulnerability may allow remote code execution.

Upstream patch:

https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546

References:

http://www.gossamer-threads.com/lists/quagga/users/31952

Workarounds:

Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd suppress-ra" configured under all interfaces).  Make sure to have it disabled on ALL interfaces.
Comment 1 Andrej Nemec 2016-10-18 07:59:19 UTC 
Created quagga tracking bugs for this issue:

Affects: fedora-all [bug 1386110]
Comment 7 Dhiru Kholia 2016-10-21 08:18:19 UTC 
On RHEL (and Fedora), the usage of -fstack-protector compilation flag limits the impact of this stack-based buffer overflow to a crash (denial-of-service) in the zebra daemon. Our CVSS scores reflect this fact.
Comment 11 errata-xmlrpc 2017-03-21 11:56:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0794 https://rhn.redhat.com/errata/RHSA-2017-0794.html