A buffer overflow exists in the IPv6 (Router Advertisement) code in Zebra. The issue can be triggered on an IPv6 address where the Quagga daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message. The issue leads to a crash of the zebra daemon. In specific circumstances this vulnerability may allow remote code execution. Upstream patch: https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546 References: http://www.gossamer-threads.com/lists/quagga/users/31952 Workarounds: Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd suppress-ra" configured under all interfaces). Make sure to have it disabled on ALL interfaces.
Created quagga tracking bugs for this issue: Affects: fedora-all [bug 1386110]
On RHEL (and Fedora), the usage of -fstack-protector compilation flag limits the impact of this stack-based buffer overflow to a crash (denial-of-service) in the zebra daemon. Our CVSS scores reflect this fact.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0794 https://rhn.redhat.com/errata/RHSA-2017-0794.html