Bug 499033 (CVE-2009-1572)

Created attachment 342384 [details]
patch to fix the issue

Attaching the patch for posterity.

This only seems to affect quagga 0.99.10 and higher as it was reported that this is not an issue with 0.99.9.  As a result, this issue only affects Fedora 10 and newer, and does not affect Red Hat Enterprise Linux 3, 4, or 5.

*** Bug 498832 has been marked as a duplicate of this bug. ***

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1572 to
the following vulnerability:

Name: CVE-2009-1572
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1572
Assigned: 20090506
Reference: MLIST:[oss-security] 20090501 CVE request (sort of): Quagga BGP crasher
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/01/1
Reference: MLIST:[oss-security] 20090501 Re: CVE request (sort of): Quagga BGP crasher
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/01/2
Reference: MLIST:[quagga-dev] 20090203 [quagga-dev 6391]  [PATCH] BGP 4-byte ASN bug fixes
Reference: URL: http://marc.info/?l=quagga-dev&m=123364779626078&w=2
Reference: MISC: http://thread.gmane.org/gmane.network.quagga.devel/6513
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526311
Reference: DEBIAN:DSA-1788
Reference: URL: http://www.debian.org/security/2009/dsa-1788
Reference: BID:34817
Reference: URL: http://www.securityfocus.com/bid/34817
Reference: OSVDB:54200
Reference: URL: http://www.osvdb.org/54200
Reference: SECUNIA:34999
Reference: URL: http://secunia.com/advisories/34999
Reference: XF:quagga-systemnumber-dos(50317)
Reference: URL: http://xforce.iss.net/xforce/xfdb/50317

The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote
attackers to cause a denial of service (crash) via an AS path
containing ASN elements whose string representation is longer than
expected, which triggers an assert error.

Upstream has released 0.99.12, which corrects the issue: http://www.quagga.net/news2.php?y=2009&m=5&d=8#id1241824920

(In reply to comment #2)
> This only seems to affect quagga 0.99.10 and higher as it was reported that
> this is not an issue with 0.99.9.

This is not an issue in versions prior to 0.99.10, as that is the first upstream version to include support for 4-byte AS numbers (AS4).  Similar code exists in older quagga versions (checked both 0.99.9 and 0.98.6), though as_t is defined there as 16-bit unsigned value, so the string representation is limited to 5 characters.

Ubuntu fixed this in 0.99.2 and 0.99.9 too (USN-775-1), though they should not need the patch there as far as I can see (they do not seem to have AS4 support in bgpd backported).

Jiri, I do see patched builds for F10+ in Koji, is that intentional that those builds have not been submitted in Bodhi yet?

I wrote to upstream due to fix. I'm not satisfied with the patch because of calculation of new size in following function:

static void
aspath_make_str_big_enough (int len,
                            char **str_buf,
                            int *str_size,
                            int count_to_be_added)
{
#define TERMINATOR 1
  while (len + count_to_be_added + TERMINATOR > *str_size)
    {
      *str_size *= 2;
      *str_buf = XREALLOC (MTYPE_AS_STR, *str_buf, *str_size);
    }
#undef TERMINATOR
}

Do you think the line "*str_size *= 2;" couldn't be source of next CVE?
I have no reaction from upstream till today (sent 2009-05-11).

Jiri

(In reply to comment #7)
> Do you think the line "*str_size *= 2;" couldn't be source of next CVE?

This should not (integer) overflow with current use, so hopefully no CVE is needed.

aspath_make_str_count() loops through all segments (seg) in aspath structure (as), writing output to str_buf.

Initial size of str_buf is ASPATH_STR_DEFAULT_LEN (32) and the resize requests happen in two places: 1) extend by 1 at max once for each segment and 2) by (APPROX_DIG_CNT(seg->as[i]) + 1 + 1 + 1) (which is either 13 or 8, max 13 is for AS4, last + 1 + 1 is only needed once per segment) for each AS number.

Maximum number of AS numbers per segment is limited to AS_SEGMENT_MAX (255), see assegments_parse().  So the amount of data written to str_buf for one segment should be 1 + 255 * 13 at max (it's even lower actually).

There does not seem to be any explicit limit on the number of segments, but there seem to be an implicit limit one.  assegments_parse() has a limit on input stream size - length - which is size_t in assegments_parse().  assegments_parse() is called from aspath_parse(), which is called from bgp_attr_aspath() and bgp_attr_as4_path() (in bgpd/bgp_attr.c).  Here length's type is bgp_size_t, which is u_int16_t.

So the maximum length assegments_parse() can get as an argument is 2^16 - 1.  Let's ignore per-segment AS number limit / overhead of other headers and assume whole stream passed to assegments_parse() is just AS numbers.

- For 16-bit AS, we can not have more than 2^16 / 2 = 32768 AS numbers.  Even with one number per segment, str_buf does not need to be more than 32768 * (8 + 1) = 294912, so ~300kB.

- For 32-bit AS, we can not have more than 2^16 / 4 = 16384 AS numbers.  str_buf does not need to be more than 16384 * (13 + 1) = 229376, less than 250kB.

This is quite far from what can trigger integer overflow.  Please correct me if I do my math completely wrong or am missing something.

quagga-0.99.12-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/quagga-0.99.12-1.fc10

quagga-0.99.12-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/quagga-0.99.12-1.fc11

quagga-0.99.12-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

quagga-0.99.12-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.