{"vuid":"VU#940439","idnumber":"940439","name":"Quagga bgpd is affected by multiple vulnerabilities","keywords":["bgpd","buffer","out-of-bounds"],"overview":"The Quagga BGP daemon bgpd prior to version 1.2.3 may be vulnerable to multiple issues that may result in denial of service, information disclosure, or remote code execution.","clean_desc":"CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2018-5378 (Quagga-2018-0543) The Quagga BGP daemon, bgpd, does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or it may crash. CWE-415: Double Free - CVE-2018-5379 (Quagga-2018-1114) The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. CWE-125: Out-of-bounds Read - CVE-2018-5380 (Quagga-2018-1550) The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input. CWE-228: Improper Handling of Syntactically Invalid Structure - CVE-2018-5381 (Quagga-2018-1975) The Quagga BGP daemon, bgpd, had a bug in its parsing of \"Capabilities\" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI. For more information, please see Quagga's version 1.2.3 release announcement. The CVSS score below is based on CVE-2018-5379.","impact":"An unauthenticated, remote attacker may be able to use crafted input to result in a crash of bgpd or even allow a remote attacker to gain control of an affected bgpd process.","resolution":"Apply an update Quagga has released bgpd version 1.2.3 to address these issues. Affected users should apply an update as soon as possible.","workarounds":"","sysaffected":"","thanks":"The Quagga developers thank Alban Browaeys, Balaji Gurudoss, Borg, Scott Leggett and Debian QA Group, Eugene Bogomazov, Evgeny Uskov, Gerrie Roos, Mathieu Jadin, Pier Carlo Chiodi, and Rolf Eike Beer.","author":"This document was written by Garret Wassermann.","public":["http://savannah.nongnu.org/forum/forum.php?forum_id=9095","http://cwe.mitre.org/data/definitions/119.html","http://cwe.mitre.org/data/definitions/125.html","http://cwe.mitre.org/data/definitions/228.html","http://cwe.mitre.org/data/definitions/415.html"],"cveids":["CVE-2018-5378","CVE-2018-5379","CVE-2018-5380","CVE-2018-5381"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2018-02-06T20:06:07Z","publicdate":"2018-02-15T00:00:00Z","datefirstpublished":"2018-02-15T22:10:02Z","dateupdated":"2018-02-19T18:40:36Z","revision":45,"vrda_d1_directreport":"1","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"ND","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"9.3","cvss_basevector":"AV:N/AC:M/Au:N/C:C/I:C/A:C","cvss_temporalscore":"7.3","cvss_environmentalscore":"7.30709030016","cvss_environmentalvector":"CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}