CVE-2016-2342
published 2016-03-17CVE-2016-2342: The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used…
PriorityP356high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
12.11%
95.6th percentile
The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| quagga | quagga | — | — |
| quagga | quagga | >= 0 < 0.99.22.4-3ubuntu1.1 | 0.99.22.4-3ubuntu1.1 |
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv8.1HIGH
vendor_redhat8.1HIGH
vendor_ubuntu2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jm86-8c92-649g: The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn
ghsa_unreviewed·2022-05-14
CVE-2016-2342 [HIGH] CWE-119 GHSA-jm86-8c92-649g: The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn
The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.
OSV
quagga vulnerabilities
osv·2016-03-24·CVSS 2.6
CVE-2016-2342 [LOW] quagga vulnerabilities
quagga vulnerabilities
Kostya Kortchinsky discovered that Quagga incorrectly handled certain route
data when configured with BGP peers enabled for VPNv4. A remote attacker
could use this issue to cause Quagga to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2016-2342)
It was discovered that Quagga incorrectly handled messages with a large
LSA when used in certain configurations. A remote attacker could use this
issue to cause Quagga to crash, resulting in a denial of service. This
issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236)
OSV
CVE-2016-2342: The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn
osv·2016-03-17·CVSS 8.1
CVE-2016-2342 [HIGH] CVE-2016-2342: The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn
The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.
Ubuntu
Quagga vulnerabilities
vendor_ubuntu·2016-03-24·CVSS 2.6
CVE-2013-2236 [LOW] Quagga vulnerabilities
Title: Quagga vulnerabilities
Summary: Quagga could be made to crash or run programs if it received specially
crafted network traffic.
Kostya Kortchinsky discovered that Quagga incorrectly handled certain route
data when configured with BGP peers enabled for VPNv4. A remote attacker
could use this issue to cause Quagga to crash, resulting in a denial of
service, or possibly execute arbitrary code. (CVE-2016-2342)
It was discovered that Quagga incorrectly handled messages with a large
LSA when used in certain configurations. A remote attacker could use this
issue to cause Quagga to crash, resulting in a denial of service. This
issue only affected Ubuntu 12.04 LTS. (CVE-2013-2236)
Instructions: After a standard system update you need to restart Quagga to make all the
necessary changes.
Red Hat
quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
vendor_redhat·2016-03-09·CVSS 8.1
CVE-2016-2342 [HIGH] CWE-121 quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.
A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service.
Package: quagga (Red Hat Enterprise Linux 5) - Will not fix
Package: quagga (Red Hat Enterprise Linux 7) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-2342 quagga: VPNv4 NLRI parses memcpys to stack on unchecked length [fedora-all]
bugzilla·2016-03-10·CVSS 8.1
CVE-2016-2342 [HIGH] CVE-2016-2342 quagga: VPNv4 NLRI parses memcpys to stack on unchecked length [fedora-all]
CVE-2016-2342 quagga: VPNv4 NLRI parses memcpys to stack on unchecked length [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2016-2342 quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
bugzilla·2016-03-10·CVSS 8.1
CVE-2016-2342 [HIGH] CVE-2016-2342 quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
CVE-2016-2342 quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
bgpd: Fix VU#270232, VPNv4 NLRI parser memcpys to stack on unchecked length
A vulnerability was found in a way VPNv4 NLRI parser copied packet data to the stack. Memcpy to stack data structure based on length field from packet data whose length field upper-bound was not properly checked.
This likely allows BGP peers that are enabled to send Labeled-VPN SAFI routes to Quagga bgpd to remotely exploit Quagga bgpd.
Mitigation: Do not enable Labeled-VPN SAFI with untrusted neighbours.
Impact: Labeled-VPN SAFI is not enabled by default.
* bgp_mplsvpn.c: (bgp_nlri_parse_vpnv4) The prefixlen is checked for
lower-bound, but not for upper-bound against received data length.
The packet data is then memcpy'd to the stac
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442http://lists.opensuse.org/opensuse-updates/2016-03/msg00102.htmlhttp://lists.opensuse.org/opensuse-updates/2016-03/msg00117.htmlhttp://nongnu.askapache.com//quagga/quagga-1.0.20160309.changelog.txthttp://rhn.redhat.com/errata/RHSA-2017-0794.htmlhttp://www.debian.org/security/2016/dsa-3532http://www.kb.cert.org/vuls/id/270232http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/84318http://www.ubuntu.com/usn/USN-2941-1https://security.gentoo.org/glsa/201610-03http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442http://lists.opensuse.org/opensuse-updates/2016-03/msg00102.htmlhttp://lists.opensuse.org/opensuse-updates/2016-03/msg00117.htmlhttp://nongnu.askapache.com//quagga/quagga-1.0.20160309.changelog.txthttp://rhn.redhat.com/errata/RHSA-2017-0794.htmlhttp://www.debian.org/security/2016/dsa-3532http://www.kb.cert.org/vuls/id/270232http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securityfocus.com/bid/84318http://www.ubuntu.com/usn/USN-2941-1https://security.gentoo.org/glsa/201610-03
2016-03-17
Published