Bug 817580 (CVE-2012-1820)

Summary: CVE-2012-1820 quagga (bgpd): Assertion failure by processing BGP OPEN message with malformed ORF capability TLV (VU#962587)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: atkac, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120603,reported=20120425,source=cert,cvss2=2.9/AV:A/AC:M/Au:N/C:N/I:N/A:P,rhel-5/quagga=notaffected,rhel-6/quagga=affected,fedora-all/quagga=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-13 12:49:55 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 829266, 845528, 845529    
Bug Blocks: 738408    
Description Flags
fixing patch none

Description Jan Lieskovsky 2012-04-30 10:39:21 EDT
A denial of service flaw was found in the way Quagga's bgpd daemon processed certain OPEN messages. A configured Border Gateway Protocol (BGP) peer could send a BGP OPEN message with specially-crafted value of the Outbound Route Filtering (ORF) capability Type/Length/Value (TLV) triplet, which would cause the master BGP daemon (bgpd) to abort with an assertion failure by processing of such a message. Also, all BGP sessions established by the attacked router would be closed and its BGP routing disrupted.
Comment 2 Jan Lieskovsky 2012-04-30 10:49:02 EDT
This issue affects the version of the quagga package, as shipped with Red Hat Enterprise Linux 6.


This issue affects the versions of the quagga package, as shipped with Fedora release of 15 and 16.
Comment 5 Jan Lieskovsky 2012-06-06 06:50:53 EDT
US-CERT Vulnerability Note VU#962587:
[1] http://www.kb.cert.org/vuls/id/962587
Comment 6 Jan Lieskovsky 2012-06-06 06:53:31 EDT
Created quagga tracking bugs for this issue

Affects: fedora-all [bug 829266]
Comment 7 Denis Ovsienko 2012-06-06 07:10:40 EDT
Created attachment 589837 [details]
fixing patch

Attached is a copy of the original fix: https://github.com/Quagga-RE/quagga-RE/commit/790d1e263e8800bc49d0038d481591ecb4e37b88
Comment 8 Fedora Update System 2012-06-19 10:55:42 EDT
quagga-0.99.21-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-06-19 11:02:00 EDT
quagga- has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-06-19 11:07:39 EDT
quagga-0.99.21-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2012-09-12 16:06:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1259 https://rhn.redhat.com/errata/RHSA-2012-1259.html
Comment 14 Murray McAllister 2012-09-12 22:56:27 EDT

Red Hat would like to thank the CERT/CC for reporting this issue. The CERT/CC acknowledges Denis Ovsienko as the original reporter.