The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. This issue can be triggered by an optional/transitive UPDATE attribute, that all conforming eBGP speakers should pass along. This means this may triggerable in many affected Quagga bgpd processes across a wide area of a network, because of just one UPDATE message. This issue could result in a crash of bgpd, or even allow a remote attacker to gain control of an affected bgpd process. All versions are likely affected.
Acknowledgments: Name: the Quagga project
Created attachment 1392685 [details] Upstream patch
External References: https://www.quagga.net/security/Quagga-2018-1114.txt
Statement: Glibc's heap protection mitigations render this issue more difficult to exploit, though bypasses may still be possible.
Created quagga tracking bugs for this issue: Affects: fedora-all [bug 1546008]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:0377 https://access.redhat.com/errata/RHSA-2018:0377