Bug 1079799 - (CVE-2018-5379) VUL-0: CVE-2018-5379: quagga: bgpd double free when processing UPDATE message
(CVE-2018-5379)
VUL-0: CVE-2018-5379: quagga: bgpd double free when processing UPDATE message
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2018-5379:7.5:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-07 11:01 UTC by Andreas Stieger
Modified: 2020-05-12 18:14 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2018-02-07 11:01:21 UTC
Created attachment 759216 [details]
Quagga-2018-1114.diff

EMBARGOED via direct mail
CRD: not clear, 2018-02-12 or 2018-02-13

Quagga Security Note 2018-1114
==============================

https://www.quagga.net/security/Quagga-2018-1114.txt


Affects:
--------

- Likely to affect all versions of Quagga

Summary
-------

The Quagga BGP daemon, bgpd, can double-free memory when processing
certain forms of UPDATE message, containing cluster-list and/or unknown
attributes.

Impact
------

Potentially severe.

This issue can be triggered by an optional/transitive UPDATE attribute, that
all conforming eBGP speakers should pass along.  This means this may
triggerable in many affected Quagga bgpd processes across a wide area of a
network, because of just one UPDATE message.

This issue could result in a crash of bgpd, or even allow a remote
attacker to gain control of an affected bgpd process.

Solution
--------

Upgrade to Quagga 1.2.3, or any other version with the appropriate
patch applied, entitled:

  "bgpd/security: Fix double free of unknown attribute"

Description
------------

The issue is a double-free in bgp_attr_flush called from
bgp_packet.c:bgp_update_receive. This can be triggered by a variety of
BGP UPDATE messages, containing either a "CLUSTER_LIST" attribute (used
in iBGP route-reflection) or an unknown attribute.

An unrecognised optional/transitive UPDATE attribute should be passed along
by conforming BGP speakers, if the attribute is otherwise well-formed. 
Therefore this issue potentially can be triggered across a number of Quagga
bgpd speakers, over a wide area of a network, by one BGP speaker sending an
UPDATE.

Once this issue has been triggered the behaviour of bgpd is undefined.  The
internal state of the memory allocator may become corrupted, unless it has
been designed to be robust to the double-free.  The memory allocator may
catch the issue and crash the bgpd process in a controlled manner, otherwise
bgpd process could continue to run with invalid memory allocation state.

It is possible an attacker could exploit the corrupted allocator state to
gain control of the bgpd process.  E.g., if the allocator stores the
incorrectly double-freed memory twice on its internal free-list, then the
allocator could return the same memory twice in further calls of malloc, and
the attacker might be able to control the operation of one part of bgpd with
data they supply that is stored in another.
Comment 10 Andreas Stieger 2018-02-15 10:27:46 UTC
CRD: 2018-02-15 21:30 UTC
Comment 13 Andreas Stieger 2018-02-15 23:26:34 UTC
Please submit for openSUSE:Leap:42.3:Update/quagga
Comment 14 Swamp Workflow Management 2018-02-16 05:09:32 UTC
SUSE-SU-2018:0455-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1021669,1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2017-5495,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
SUSE OpenStack Cloud 6 (src):    quagga-0.99.22.1-16.4.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    quagga-0.99.22.1-16.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    quagga-0.99.22.1-16.4.1
SUSE Linux Enterprise Server 12-LTSS (src):    quagga-0.99.22.1-16.4.1
Comment 15 Swamp Workflow Management 2018-02-16 05:10:42 UTC
SUSE-SU-2018:0456-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Server 12-SP3 (src):    quagga-1.1.1-17.7.1
SUSE Linux Enterprise Server 12-SP2 (src):    quagga-1.1.1-17.7.1
Comment 16 Swamp Workflow Management 2018-02-16 06:23:23 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-02-23.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63979
Comment 17 Alexander Bergmann 2018-02-16 07:26:32 UTC
CVE-2018-1000063 was marked as a duplicated CVE.

The correct number is CVE-2018-5379.
Comment 18 Swamp Workflow Management 2018-02-16 08:09:01 UTC
SUSE-SU-2018:0457-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1021669,1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2017-5495,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Server 11-SP4 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    quagga-0.99.15-0.30.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    quagga-0.99.15-0.30.3.1
Comment 19 Swamp Workflow Management 2018-02-16 09:40:18 UTC
This is an autogenerated message for OBS integration:
This bug (1079799) was mentioned in
https://build.opensuse.org/request/show/577175 42.3 / quagga
https://build.opensuse.org/request/show/577176 Factory / quagga
Comment 21 Swamp Workflow Management 2018-02-19 14:14:16 UTC
openSUSE-SU-2018:0473-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1065641,1079798,1079799,1079800,1079801
CVE References: CVE-2017-16227,CVE-2018-5378,CVE-2018-5379,CVE-2018-5380,CVE-2018-5381
Sources used:
openSUSE Leap 42.3 (src):    quagga-1.1.1-18.3.1
Comment 22 Marcus Meissner 2018-02-19 19:51:06 UTC
released