| Summary: | quagga new security issue CVE-2016-1245 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | cjw, jani.valimaa, lewyssmith, marja11, olav, sysadmin-bugs, tarazed25 |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/703868/ | ||
| Whiteboard: | has_procedure MGA5-64-OK advisory MGA5-32-OK | ||
| Source RPM: | quagga-0.99.24.1-4.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-10-18 20:56:34 CEST
David Walser
2016-10-18 20:56:41 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. CC:
(none) =>
cjw, jani.valimaa, marja11, olav Patched packages uploaded for Mageia 5 and Cauldron by Jani. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=6512#c1 Advisory: ======================== Updated quagga packages fix security vulnerability: It was discovered that the zebra daemon in the Quagga routing suite suffered from a stack-based buffer overflow when processing IPv6 Neighbor Discovery messages (CVE-2016-1245). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1245 https://lists.quagga.net/pipermail/quagga-users/2016-October/014478.html https://www.debian.org/security/2016/dsa-3695 ======================== Updated packages in core/updates_testing: ======================== quagga-0.99.22.4-4.3.mga5 quagga-contrib-0.99.22.4-4.3.mga5 libquagga0-0.99.22.4-4.3.mga5 libquagga-devel-0.99.22.4-4.3.mga5 from quagga-0.99.22.4-4.3.mga5.src.rpm Version:
Cauldron =>
5 Running this on x86_64 hardware. Unlikely to find a way to test the vulnerability so this will be a functionality test only. CC:
(none) =>
tarazed25 Installed the updates and followed Dave and Claire's instructions. # systemctl start zebra.service # systemctl start babeld.service Failed to start babeld.service: Unit babeld.service failed to load: No such file or directory. # systemctl start bgpd # systemctl start ospfd # systemctl start ripngd # systemctl start ripd Start watchquagga in daemon mode to keep track of the various services. # watchquagga -d zebra bgpd ospfd ripngd ripd ospf6d # tail /var/log/syslog Oct 27 18:38:00 vega watchquagga[6820]: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ripngd ripd ospf6d], mode [monitor] Oct 27 18:38:00 vega watchquagga[6820]: ripngd state -> up : connect succeeded Oct 27 18:38:00 vega watchquagga[6820]: zebra state -> up : connect succeeded Oct 27 18:38:00 vega watchquagga[6820]: ospfd state -> up : connect succeeded Oct 27 18:38:00 vega watchquagga[6820]: ripd state -> up : connect succeeded Oct 27 18:38:01 vega watchquagga[6820]: bgpd state -> up : connect succeeded Oct 27 18:38:01 vega watchquagga[6820]: ospf6d state -> down : initial connection attempt failed # systemctl start ospf6d.service # tail /var/log/syslog Oct 27 18:40:56 vega watchquagga[6820]: ospf6d state -> up : connect succeeded # netstat -tapnl|grep ':26' < expected output > # telnet localhost 2601 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Hello, this is Quagga (version 0.99.22.4). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: ..... Router> ? < displayed help /> Router> enable Password: Router# < played with a few commands. Note that the exit and quit commands close the telnet connection. In privileged mode this should revert to normal mode. Looks like a bug or an error in the documentation. /> # telnet localhost 2606 Trying 127.0.0.1... ................... Hello, this is Quagga (version 0.99.22.4). .................. Password: ospf6d@plant# quit Not at all clear how to use these commands properly. # telnet localhost ::1 2606 Usage: telnet [-8] [-E] [-K] [-L] [-G] [-S tos] [-X atype] [-a] [-c] [-d] [-e char] [-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-x] [host-name [port]] < That used to work, with the earlier version /> I shall continue probing this. Need to find out why telnet is not connecting to a specified service. Trying individual ports in succession: $ telnet localhost 2602 .......... ripd> quit $ telnet localhost 2603 Trying 127.0.0.1... ............... ripngd> quit $ telnet localhost 2604 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused $ netstat -tapnl|grep ':26' (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:2602 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:2603 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:2605 0.0.0.0:* LISTEN - tcp6 0 0 :::2601 :::* LISTEN - tcp6 0 0 :::2602 :::* LISTEN - tcp6 0 0 :::2603 :::* LISTEN - tcp6 0 0 :::2605 :::* LISTEN - $ telnet localhost 2605 ........................ bgpd> quit The man pages for telnet do not say anything specific about ipv6 or tcp6 and nothing about the ::1 form used in previous tests. Of course, the telnet sysntax was wrong - this succeeded in accessing the ipv6 ports:
# telnet ::1 2602
Trying ::1...
Connected to ::1.
Escape character is '^]'.
Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
......
ripd> show ip access-list
% [RIP] Unknown command: show ip access-list
ripd> enable
ripd# show ip access-list
RIP:
ripd# show memory all
System allocator statistics:
Total heap allocated: 528 KiB
Holding block headers: 0 bytes
Used small blocks: 0 bytes
Used ordinary blocks: 420 KiB
Free small blocks: 32 bytes
Free ordinary blocks: 108 KiB
Ordinary blocks: 3
Small blocks: 1
Holding blocks: 0
(see system documentation for 'mallinfo' for meaning)
-----------------------------
Temporary memory : 1
String vector : 4145
Vector : 2161
Vector index : 2161
Link List : 8
.......
ripd# exit
Connection closed by foreign host.
Logged in to zebra:
# telnet localhost 2601
......
Router> show ip mroute
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, A - Babel,
> - selected route, * - FIB route
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, enp3s0
C>* 192.168.122.0/24 is directly connected, virbr0
# netstat -tapnl | grep ':260' > quagga.netlog
# cat quagga.netlog
# cat quagga.netlog
tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN 13529/zebra
tcp 0 0 0.0.0.0:2602 0.0.0.0:* LISTEN 13595/ripd
tcp 0 0 0.0.0.0:2603 0.0.0.0:* LISTEN 13594/ripngd
tcp 0 0 0.0.0.0:2604 0.0.0.0:* LISTEN 13118/ospfd
tcp 0 0 0.0.0.0:2605 0.0.0.0:* LISTEN 13622/bgpd
tcp 0 0 127.0.0.1:2601 127.0.0.1:39520 TIME_WAIT -
tcp6 0 0 :::2601 :::* LISTEN 13529/zebra
tcp6 0 0 :::2602 :::* LISTEN 13595/ripd
tcp6 0 0 :::2603 :::* LISTEN 13594/ripngd
tcp6 0 0 :::2604 :::* LISTEN 13118/ospfd
tcp6 0 0 :::2605 :::* LISTEN 13622/bgpd
Stopped a couple of services and:
# watchquagga -d zebra bgpd ospfd ripngd ripd ospf6d
# tail /var/log/syslog
Nov 2 18:47:36 vega watchquagga[20682]: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ripngd ripd ospf6d], mode [monitor]
Nov 2 18:47:36 vega watchquagga[20682]: bgpd state -> up : connect succeeded
Nov 2 18:47:36 vega watchquagga[20682]: zebra state -> up : connect succeeded
Nov 2 18:47:36 vega watchquagga[20682]: ospf6d state -> down : initial connection attempt failed
Nov 2 18:47:36 vega watchquagga[20682]: ripngd state -> down : initial connection attempt failed
Nov 2 18:47:37 vega watchquagga[20682]: ripd state -> up : connect succeeded
Nov 2 18:47:37 vega watchquagga[20682]: ospfd state -> up : connect succeeded
As far as I can tell this is all healthy. Giving it the OK.
Len Lawrence
2016-11-02 19:51:08 CET
Whiteboard:
has_procedure =>
has_procedure MGA5-64-OK Thanks yet again Len for non-trivial testing. Advisory uploaded. CC:
(none) =>
lewyssmith i586 vbox tests coming up later. i586 vbox Installed the latest packages from core updates and gave quagga a run. Started zebra and a couple of quagga services then watchquagga on the command line. The first problem was no syslog. There did not seem to be a syslog daemon but MCC -> system -> services showed that there was a service called rsyslog doing nothing. After starting that /var/log/syslog appeared. syslog reported that it could not make connections to the subsidiary services but zebra was OK. This is unexpected. Proceeding with the update to see if things improve. Ran the update and tried again. No improvement. Going to try this on the 32bit install of mga5 on a 64bit laptop. Things did not improve but I noted in the service status reports references to missing conf files and checking back on Claire's procedure discovered that there is some preliminary configuration needed in /etc, something which had been done months ago on the updates testing machine but not in any other system. Had completely forgotten about that so shall restart the tests tomorrow. Sorry about that. I should have repeated the preconfiguration steps in my earlier report. (wilcal nods his head knowingly) Right. Post-update tests now work as they should but there is a complication. There is a shell associated with quagga, which is new to me but may have been part of the package all along. It manifested itself on an attempt to access zebra via localhost. # telnet localhost 2601 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. Vty password is not set. Connection closed by foreign host. I found some documentation here: https://openmaniak.com/quagga_tutorial.php#vtysh which is Debian oriented. There is a hint that vtysh can be enabled/disabled but somehow it has been enabled by default in our latest round. It can be used to issue general commands like those listed for the various quagga services; e.g. # vtysh -c "show ip route" Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF, I - IS-IS, B - BGP, A - Babel, > - selected route, * - FIB route K>* 0.0.0.0/0 via 192.168.1.1, enp3s0 C>* 127.0.0.0/8 is directly connected, lo C>* 192.168.1.0/24 is directly connected, enp3s0 /etc/quagga contains vtysh.conf and a sample config. It is necessary to copy the sample into vtysh.conf and uncomment the two lines: !hostname quagga-router !username root nopassword # telnet localhost 2601 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'. Hello, this is Quagga (version 0.99.22.4). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: localhost> .... localhost> exit # telnet ::1 2606 Trying ::1... Connected to localhost (::1). ................. User Access Verification Password: ospf6d@plant# .... The password in these cases is the one set for the zebra service (aka quagga). The 32bit update is now ready for validation. The procedure documentation needs to be tidied up a bit. Shall work on that in the background.
Len Lawrence
2016-11-11 12:18:36 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0374.html Status:
NEW =>
RESOLVED |