Bug 499033 - (CVE-2009-1572) CVE-2009-1572 quagga: crash in bgpd when receiving updates containing asn32
CVE-2009-1572 quagga: crash in bgpd when receiving updates containing asn32
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=debian,report...
: Security
: 498832 (view as bug list)
Depends On: 499960
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-04 16:56 EDT by Vincent Danen
Modified: 2009-05-22 02:14 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-22 02:14:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to fix the issue (15.63 KB, patch)
2009-05-04 16:57 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2009-05-04 16:56:23 EDT
A Debian bug report [1] noted that bgpd, when receiving updates containing asn32, would crash with an assertion error.  This was previously reported on the quagga mailing list [2].  A patch is available to fix the issue:

http://mirror.actusa.net/pub/sample-files/quagga-4ByteASN-Assert.patch

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526270
[2] http://www.gossamer-threads.com/lists/quagga/users/17769
Comment 1 Vincent Danen 2009-05-04 16:57:38 EDT
Created attachment 342384 [details]
patch to fix the issue

Attaching the patch for posterity.
Comment 2 Vincent Danen 2009-05-04 16:59:20 EDT
This only seems to affect quagga 0.99.10 and higher as it was reported that this is not an issue with 0.99.9.  As a result, this issue only affects Fedora 10 and newer, and does not affect Red Hat Enterprise Linux 3, 4, or 5.
Comment 3 Jiri Skala 2009-05-05 10:38:24 EDT
*** Bug 498832 has been marked as a duplicate of this bug. ***
Comment 4 Vincent Danen 2009-05-06 17:59:15 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1572 to
the following vulnerability:

Name: CVE-2009-1572
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1572
Assigned: 20090506
Reference: MLIST:[oss-security] 20090501 CVE request (sort of): Quagga BGP crasher
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/01/1
Reference: MLIST:[oss-security] 20090501 Re: CVE request (sort of): Quagga BGP crasher
Reference: URL: http://www.openwall.com/lists/oss-security/2009/05/01/2
Reference: MLIST:[quagga-dev] 20090203 [quagga-dev 6391]  [PATCH] BGP 4-byte ASN bug fixes
Reference: URL: http://marc.info/?l=quagga-dev&m=123364779626078&w=2
Reference: MISC: http://thread.gmane.org/gmane.network.quagga.devel/6513
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526311
Reference: DEBIAN:DSA-1788
Reference: URL: http://www.debian.org/security/2009/dsa-1788
Reference: BID:34817
Reference: URL: http://www.securityfocus.com/bid/34817
Reference: OSVDB:54200
Reference: URL: http://www.osvdb.org/54200
Reference: SECUNIA:34999
Reference: URL: http://secunia.com/advisories/34999
Reference: XF:quagga-systemnumber-dos(50317)
Reference: URL: http://xforce.iss.net/xforce/xfdb/50317

The BGP daemon (bgpd) in Quagga 0.99.11 and earlier allows remote
attackers to cause a denial of service (crash) via an AS path
containing ASN elements whose string representation is longer than
expected, which triggers an assert error.
Comment 5 Vincent Danen 2009-05-08 22:35:43 EDT
Upstream has released 0.99.12, which corrects the issue: http://www.quagga.net/news2.php?y=2009&m=5&d=8#id1241824920
Comment 6 Tomas Hoger 2009-05-18 06:26:58 EDT
(In reply to comment #2)
> This only seems to affect quagga 0.99.10 and higher as it was reported that
> this is not an issue with 0.99.9.

This is not an issue in versions prior to 0.99.10, as that is the first upstream version to include support for 4-byte AS numbers (AS4).  Similar code exists in older quagga versions (checked both 0.99.9 and 0.98.6), though as_t is defined there as 16-bit unsigned value, so the string representation is limited to 5 characters.

Ubuntu fixed this in 0.99.2 and 0.99.9 too (USN-775-1), though they should not need the patch there as far as I can see (they do not seem to have AS4 support in bgpd backported).

Jiri, I do see patched builds for F10+ in Koji, is that intentional that those builds have not been submitted in Bodhi yet?
Comment 7 Jiri Skala 2009-05-18 07:11:54 EDT
I wrote to upstream due to fix. I'm not satisfied with the patch because of calculation of new size in following function:

static void
aspath_make_str_big_enough (int len,
                            char **str_buf,
                            int *str_size,
                            int count_to_be_added)
{
#define TERMINATOR 1
  while (len + count_to_be_added + TERMINATOR > *str_size)
    {
      *str_size *= 2;
      *str_buf = XREALLOC (MTYPE_AS_STR, *str_buf, *str_size);
    }
#undef TERMINATOR
}

Do you think the line "*str_size *= 2;" couldn't be source of next CVE?
I have no reaction from upstream till today (sent 2009-05-11).

Jiri
Comment 8 Tomas Hoger 2009-05-18 11:08:26 EDT
(In reply to comment #7)
> Do you think the line "*str_size *= 2;" couldn't be source of next CVE?

This should not (integer) overflow with current use, so hopefully no CVE is needed.

aspath_make_str_count() loops through all segments (seg) in aspath structure (as), writing output to str_buf.

Initial size of str_buf is ASPATH_STR_DEFAULT_LEN (32) and the resize requests happen in two places: 1) extend by 1 at max once for each segment and 2) by (APPROX_DIG_CNT(seg->as[i]) + 1 + 1 + 1) (which is either 13 or 8, max 13 is for AS4, last + 1 + 1 is only needed once per segment) for each AS number.

Maximum number of AS numbers per segment is limited to AS_SEGMENT_MAX (255), see assegments_parse().  So the amount of data written to str_buf for one segment should be 1 + 255 * 13 at max (it's even lower actually).

There does not seem to be any explicit limit on the number of segments, but there seem to be an implicit limit one.  assegments_parse() has a limit on input stream size - length - which is size_t in assegments_parse().  assegments_parse() is called from aspath_parse(), which is called from bgp_attr_aspath() and bgp_attr_as4_path() (in bgpd/bgp_attr.c).  Here length's type is bgp_size_t, which is u_int16_t.

So the maximum length assegments_parse() can get as an argument is 2^16 - 1.  Let's ignore per-segment AS number limit / overhead of other headers and assume whole stream passed to assegments_parse() is just AS numbers.

- For 16-bit AS, we can not have more than 2^16 / 2 = 32768 AS numbers.  Even with one number per segment, str_buf does not need to be more than 32768 * (8 + 1) = 294912, so ~300kB.

- For 32-bit AS, we can not have more than 2^16 / 4 = 16384 AS numbers.  str_buf does not need to be more than 16384 * (13 + 1) = 229376, less than 250kB.

This is quite far from what can trigger integer overflow.  Please correct me if I do my math completely wrong or am missing something.
Comment 9 Fedora Update System 2009-05-20 09:49:30 EDT
quagga-0.99.12-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/quagga-0.99.12-1.fc10
Comment 10 Fedora Update System 2009-05-20 09:49:46 EDT
quagga-0.99.12-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/quagga-0.99.12-1.fc11
Comment 11 Fedora Update System 2009-05-21 19:23:43 EDT
quagga-0.99.12-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-05-21 19:30:51 EDT
quagga-0.99.12-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.