Bug 1542985 (CVE-2018-5379)

Summary: CVE-2018-5379 quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: balajig81, bennie.joubert, gerd, jaskalnik, mruprich, msekleta, olysonek, security-response-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: quagga 1.2.3 Doc Type: If docs needed, set a value
Doc Text:
A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:39:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1546007, 1546008, 1546015, 1546016    
Bug Blocks: 1543001    
Attachments:
Description Flags
Upstream patch none

Description Adam Mariš 2018-02-07 14:07:20 UTC 
The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes.

This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along.  This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message.

This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process.

All versions are likely affected.
Comment 1 Adam Mariš 2018-02-07 14:07:23 UTC 
Acknowledgments:

Name: the Quagga project
Comment 2 Adam Mariš 2018-02-07 14:24:25 UTC 
Created attachment 1392685 [details]
Upstream patch
Comment 3 Doran Moppert 2018-02-13 04:15:37 UTC 
External References:

https://www.quagga.net/security/Quagga-2018-1114.txt
Comment 4 Doran Moppert 2018-02-13 05:02:30 UTC 
Statement:

Glibc's heap protection mitigations render this issue more difficult to exploit, though bypasses may still be possible.
Comment 5 Doran Moppert 2018-02-16 04:37:19 UTC 
Created quagga tracking bugs for this issue:

Affects: fedora-all [bug 1546008]
Comment 8 errata-xmlrpc 2018-02-28 18:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0377 https://access.redhat.com/errata/RHSA-2018:0377