Bug 499033 (CVE-2009-1572)
Summary: | CVE-2009-1572 quagga: crash in bgpd when receiving updates containing asn32 | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | dusan, jskala | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-05-22 06:14:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 499960 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Vincent Danen
2009-05-04 20:56:23 UTC
Created attachment 342384 [details]
patch to fix the issue
Attaching the patch for posterity.
This only seems to affect quagga 0.99.10 and higher as it was reported that this is not an issue with 0.99.9. As a result, this issue only affects Fedora 10 and newer, and does not affect Red Hat Enterprise Linux 3, 4, or 5. *** Bug 498832 has been marked as a duplicate of this bug. *** Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1572 to the following vulnerability: Name: CVE-2009-1572 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1572 Assigned: 20090506 Reference: MLIST:[oss-security] 20090501 CVE request (sort of): Quagga BGP crasher Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/01/1 Reference: MLIST:[oss-security] 20090501 Re: CVE request (sort of): Quagga BGP crasher Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/01/2 Reference: MLIST:[quagga-dev] 20090203 [quagga-dev 6391] [PATCH] BGP 4-byte ASN bug fixes Reference: URL: http://marc.info/?l=quagga-dev&m=123364779626078&w=2 Reference: MISC: http://thread.gmane.org/gmane.network.quagga.devel/6513 Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526311 Reference: DEBIAN:DSA-1788 Reference: URL: http://www.debian.org/security/2009/dsa-1788 Reference: BID:34817 Reference: URL: http://www.securityfocus.com/bid/34817 Reference: OSVDB:54200 Reference: URL: http://www.osvdb.org/54200 Reference: SECUNIA:34999 Reference: URL: http://secunia.com/advisories/34999 Reference: XF:quagga-systemnumber-dos(50317) Reference: URL: http://xforce.iss.net/xforce/xfdb/50317 The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote attackers to cause a denial of service (crash) via an AS path containing ASN elements whose string representation is longer than expected, which triggers an assert error. Upstream has released 0.99.12, which corrects the issue: http://www.quagga.net/news2.php?y=2009&m=5&d=8#id1241824920 (In reply to comment #2) > This only seems to affect quagga 0.99.10 and higher as it was reported that > this is not an issue with 0.99.9. This is not an issue in versions prior to 0.99.10, as that is the first upstream version to include support for 4-byte AS numbers (AS4). Similar code exists in older quagga versions (checked both 0.99.9 and 0.98.6), though as_t is defined there as 16-bit unsigned value, so the string representation is limited to 5 characters. Ubuntu fixed this in 0.99.2 and 0.99.9 too (USN-775-1), though they should not need the patch there as far as I can see (they do not seem to have AS4 support in bgpd backported). Jiri, I do see patched builds for F10+ in Koji, is that intentional that those builds have not been submitted in Bodhi yet? I wrote to upstream due to fix. I'm not satisfied with the patch because of calculation of new size in following function: static void aspath_make_str_big_enough (int len, char **str_buf, int *str_size, int count_to_be_added) { #define TERMINATOR 1 while (len + count_to_be_added + TERMINATOR > *str_size) { *str_size *= 2; *str_buf = XREALLOC (MTYPE_AS_STR, *str_buf, *str_size); } #undef TERMINATOR } Do you think the line "*str_size *= 2;" couldn't be source of next CVE? I have no reaction from upstream till today (sent 2009-05-11). Jiri (In reply to comment #7) > Do you think the line "*str_size *= 2;" couldn't be source of next CVE? This should not (integer) overflow with current use, so hopefully no CVE is needed. aspath_make_str_count() loops through all segments (seg) in aspath structure (as), writing output to str_buf. Initial size of str_buf is ASPATH_STR_DEFAULT_LEN (32) and the resize requests happen in two places: 1) extend by 1 at max once for each segment and 2) by (APPROX_DIG_CNT(seg->as[i]) + 1 + 1 + 1) (which is either 13 or 8, max 13 is for AS4, last + 1 + 1 is only needed once per segment) for each AS number. Maximum number of AS numbers per segment is limited to AS_SEGMENT_MAX (255), see assegments_parse(). So the amount of data written to str_buf for one segment should be 1 + 255 * 13 at max (it's even lower actually). There does not seem to be any explicit limit on the number of segments, but there seem to be an implicit limit one. assegments_parse() has a limit on input stream size - length - which is size_t in assegments_parse(). assegments_parse() is called from aspath_parse(), which is called from bgp_attr_aspath() and bgp_attr_as4_path() (in bgpd/bgp_attr.c). Here length's type is bgp_size_t, which is u_int16_t. So the maximum length assegments_parse() can get as an argument is 2^16 - 1. Let's ignore per-segment AS number limit / overhead of other headers and assume whole stream passed to assegments_parse() is just AS numbers. - For 16-bit AS, we can not have more than 2^16 / 2 = 32768 AS numbers. Even with one number per segment, str_buf does not need to be more than 32768 * (8 + 1) = 294912, so ~300kB. - For 32-bit AS, we can not have more than 2^16 / 4 = 16384 AS numbers. str_buf does not need to be more than 16384 * (13 + 1) = 229376, less than 250kB. This is quite far from what can trigger integer overflow. Please correct me if I do my math completely wrong or am missing something. quagga-0.99.12-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/quagga-0.99.12-1.fc10 quagga-0.99.12-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/quagga-0.99.12-1.fc11 quagga-0.99.12-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. quagga-0.99.12-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. |