Quagga vulnerabilities

CVE-2021-44038 [HIGH] CWE-59 CVE-2021-44038: An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod operations in the suggested spec An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod operations in the suggested spec file allow users (with control of the non-root-owned directory /etc/quagga) to escalate their privileges to root upon package installation or update.

CVE-2012-5521 [MEDIUM] CWE-617 CVE-2012-5521: quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon performs routes removal quagga (ospf6d) 0.99.21 has a DoS flaw in the way the ospf6d daemon performs routes removal

CVE-2018-5379 [HIGH] CWE-415 CVE-2018-5379: The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain f The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.

CVE-2018-5381 [MEDIUM] CWE-228 CVE-2018-5381: The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BG The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.

CVE-2018-5380 [MEDIUM] CWE-125 CVE-2018-5380: The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversi The Quagga BGP daemon (bgpd) prior to version 1.2.3 can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

CVE-2018-5378 [HIGH] CWE-119 CVE-2018-5378: The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent wit The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.

CVE-2017-16227 [HIGH] CWE-20 CVE-2017-16227: The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.

CVE-2016-1245 [CRITICAL] CWE-119 CVE-2016-1245: It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based bu It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages. The root cause was relying on BUFSIZ to be compatible with a message size; however, BUFSIZ is system-dependent.

CVE-2017-5495 [HIGH] CWE-119 CVE-2017-5495: All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbounded memory allocation in the telnet 'vty' CLI, leading to a Denial-of-Service of Quagga daemons, or even the entire host. When Quagga daemons are configured with their telnet CLI enabled, anyone who can connect to the TCP ports can trigger this vulnerability, prior to authentication.

CVE-2016-2342 [HIGH] CWE-119 CVE-2016-2342: The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a c

CVE-2013-6051 [MEDIUM] CVE-2013-6051: The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total The bgp_attr_unknown function in bgp_attr.c in Quagga 0.99.21 does not properly initialize the total variable, which allows remote attackers to cause a denial of service (bgpd crash) via a crafted BGP update.

CVE-2013-2236 [LOW] CWE-119 CVE-2013-2236: Stack-based buffer overflow in the new_msg_lsa_change_notify function in the OSPFD API (ospf_api.c) Stack-based buffer overflow in the new_msg_lsa_change_notify function in the OSPFD API (ospf_api.c) in Quagga before 0.99.22.2, when --enable-opaque-lsa and the -a command line option are used, allows remote attackers to cause a denial of service (crash) via a large LSA.

CVE-2012-1820 [LOW] CVE-2012-1820: The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to c The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.

CVE-2012-0255 [MEDIUM] CWE-119 CVE-2012-0255: The BGP implementation in bgpd in Quagga before 0.99.20.1 does not properly use message buffers for The BGP implementation in bgpd in Quagga before 0.99.20.1 does not properly use message buffers for OPEN messages, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a message associated with a malformed Four-octet AS Number Capability (aka AS4 capability).

CVE-2012-0250 [LOW] CWE-119 CVE-2012-0250: Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attac Buffer overflow in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (daemon crash) via a Link State Update (aka LS Update) packet containing a network-LSA link-state advertisement for which the data-structure length is smaller than the value in the Length header field.

CVE-2012-0249 [LOW] CWE-119 CVE-2012-0249: Buffer overflow in the ospf_ls_upd_list_lsa function in ospf_packet.c in the OSPFv2 implementation i Buffer overflow in the ospf_ls_upd_list_lsa function in ospf_packet.c in the OSPFv2 implementation in ospfd in Quagga before 0.99.20.1 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a Link State Update (aka LS Update) packet that is smaller than the length specified in its header.

CVE-2011-3327 [HIGH] CWE-119 CVE-2011-3327: Heap-based buffer overflow in the ecommunity_ecom2str function in bgp_ecommunity.c in bgpd in Quagga Heap-based buffer overflow in the ecommunity_ecom2str function in bgp_ecommunity.c in bgpd in Quagga before 0.99.19 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by sending a crafted BGP UPDATE message over IPv4.

CVE-2011-3326 [MEDIUM] CWE-399 CVE-2011-3326: The ospf_flood function in ospf_flood.c in ospfd in Quagga before 0.99.19 allows remote attackers to The ospf_flood function in ospf_flood.c in ospfd in Quagga before 0.99.19 allows remote attackers to cause a denial of service (daemon crash) via an invalid Link State Advertisement (LSA) type in an IPv4 Link State Update message.

CVE-2011-3323 [MEDIUM] CWE-119 CVE-2011-3323: The OSPFv3 implementation in ospf6d in Quagga before 0.99.19 allows remote attackers to cause a deni The OSPFv3 implementation in ospf6d in Quagga before 0.99.19 allows remote attackers to cause a denial of service (out-of-bounds memory access and daemon crash) via a Link State Update message with an invalid IPv6 prefix length.

CVE-2011-3324 [MEDIUM] CWE-399 CVE-2011-3324: The ospf6_lsa_is_changed function in ospf6_lsa.c in the OSPFv3 implementation in ospf6d in Quagga be The ospf6_lsa_is_changed function in ospf6_lsa.c in the OSPFv3 implementation in ospf6d in Quagga before 0.99.19 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via trailing zero values in the Link State Advertisement (LSA) header list of an IPv6 Database Description message.