Bug 6512

Summary: quagga new security issue CVE-2012-1820
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: rverschelde, sysadmin-bugs, tarazed25, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/502570/
Whiteboard: MGA1TOO, mga2-64-OK, mga1-64-OK, mga1-32-OK, mga2-32-OK
Source RPM: quagga-0.99.20.1-3.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-06-19 21:39:24 CEST 
Fedora has issued an advisory on June 8:
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082500.html

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated quagga package fixes security vulnerability:

The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and
earlier allows remote attackers to cause a denial of service
(assertion failure and daemon exit) by leveraging a BGP peering
relationship and sending a malformed Outbound Route Filtering (ORF)
capability TLV in an OPEN message (CVE-2012-1820).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1820
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082500.html
========================

Updated packages in core/updates_testing:
========================
quagga-0.99.18-1.3.mga1
quagga-contrib-0.99.18-1.3.mga1
libquagga0-0.99.18-1.3.mga1
libquagga-devel-0.99.18-1.3.mga1
quagga-0.99.20.1-3.1.mga2
quagga-contrib-0.99.20.1-3.1.mga2
libquagga0-0.99.20.1-3.1.mga2
libquagga-devel-0.99.20.1-3.1.mga2

from SRPMS:
quagga-0.99.18-1.3.mga1.src.rpm
quagga-0.99.20.1-3.1.mga2.src.rpm
David Walser 2012-06-19 21:39:31 CEST

Whiteboard: (none) => MGA2TOO, MGA1TOO

claire robinson 2012-06-20 16:45:01 CEST

Hardware: i586 => All
Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 1 claire robinson 2012-06-22 15:10:09 CEST 
Testing x86_64 Mageia 2 using procedure from bug 5108

Renamed the samples confs in /etc/quagga/ to confs and added enable passwords where needed. zebra.conf needs 'password <password>' adding on a new line.

Started the various services, except ospf6d, and last of all started watchquagga

#tail /var/log/syslog shows

watchquagga[16103]: watchquagga 0.99.20.1 watching [zebra bgpd ospfd ospf6d ripd ripngd], mode [monitor]
watchquagga[16095]: Starting watchquagga: [  OK  ]
watchquagga[16103]: bgpd state -> up : connect succeeded
watchquagga[16103]: ospf6d state -> up : connect succeeded
watchquagga[16103]: ospfd state -> up : connect succeeded
watchquagga[16103]: zebra state -> up : connect succeeded
watchquagga[16103]: ripngd state -> up : connect succeeded
watchquagga[16103]: ospf6d state -> down : initial connection attempt failed
watchquagga[16103]: ripd state -> up : connect succeeded

# netstat -tapnl|grep ':26'
tcp        0      0 127.0.0.1:2601              0.0.0.0:*                   LISTEN      15918/zebra         
tcp        0      0 127.0.0.1:2602              0.0.0.0:*                   LISTEN      15824/ripd          
tcp        0      0 127.0.0.1:2604              0.0.0.0:*                   LISTEN      15758/ospfd         
tcp        0      0 127.0.0.1:2605              0.0.0.0:*                   LISTEN      15637/bgpd          
tcp        0      0 0.0.0.0:2608                0.0.0.0:*                   LISTEN      15729/isisd         
tcp        0      0 127.0.0.1:2601              127.0.0.1:48656             TIME_WAIT   -                   
tcp        0      0 ::1:2603                    :::*                        LISTEN      15845/ripngd     
tcp        0      0 ::1:2606                    :::*                        LISTEN      16616/ospf6d    

Updated quagga and lib64quagga0 and stop/started the services and did the same testing.

# telnet localhost 2601

Connected to each of the services, logged in and played with some commands found by typing '?' and 'list'. For the IPv6 services using eg..

# telnet ::1 2606


Testing complete x86_64 Mageia 2

Whiteboard: MGA1TOO => MGA1TOO, mga2-64-OK

Comment 2 claire robinson 2012-06-22 15:12:22 CEST 
ignore ospf6d down above, i hadn't started it when i pasted. started it and stop/started watchquagga afterwards to confirm it was found.
Comment 3 claire robinson 2012-06-22 15:42:36 CEST 
Testing x86_64 Mageia 1
Comment 4 claire robinson 2012-06-22 16:04:55 CEST 
Testing complete x86_64 Mageia 1

Whiteboard: MGA1TOO, mga2-64-OK => MGA1TOO, mga2-64-OK, mga1-64-OK

Comment 5 claire robinson 2012-06-26 11:12:03 CEST 
Testing complete i586 Mageia 1

Whiteboard: MGA1TOO, mga2-64-OK, mga1-64-OK => MGA1TOO, mga2-64-OK, mga1-64-OK mga1-32-OK

Comment 6 Rémi Verschelde 2012-06-26 15:25:37 CEST 
Testing on i586 Mageia 2.

CC: (none) => remi

Comment 7 Rémi Verschelde 2012-06-26 16:04:29 CEST 
I followed the procedure described by Claire in comment 1. All services start properly and can be reached via telnet, restricted access using a password is working too. I could not check CVE-2012-1820.

Testing complete on i586 Mageia 2.


Validating update.

Advisory and SRPMs: See comment 0.


Could a sysadmin push the update from core/updates_testing to core/updates? Thanks in advance.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO, mga2-64-OK, mga1-64-OK mga1-32-OK => MGA1TOO, mga2-64-OK, mga1-64-OK, mga1-32-OK, mga2-32-OK

Comment 8 Thomas Backlund 2012-06-27 18:31:34 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0133

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 9 Len Lawrence 2016-05-05 12:33:30 CEST 
Testing on x86_64.  Had tested it before on another bug.

Started a few services.
$ sudo watchquagga -d zebra bgpd ospfd ospf6d ripd
$ tail -40 /var/log/syslog
...................
May  5 10:01:09 vega watchquagga[11287]: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ospf6d ripd], mode [monitor]
May  5 10:01:09 vega watchquagga[11287]: ospf6d state -> up : connect succeeded
May  5 10:01:09 vega watchquagga[11287]: ripd state -> up : connect succeeded
May  5 10:01:09 vega watchquagga[11287]: ospfd state -> up : connect succeeded
May  5 10:01:09 vega watchquagga[11287]: zebra state -> up : connect succeeded
May  5 10:01:10 vega watchquagga[11287]: bgpd state -> up : connect succeeded

Stopped ospf6d and checked syslog.
May  5 10:02:45 vega watchquagga[11287]: ospf6d state -> down : read returned EOF

$ systemctl status ospf6d
â ospf6d.service - OSPF routing daemon for IPv6
   Loaded: loaded (/usr/lib/systemd/system/ospf6d.service; enabled)
   Active: inactive (dead) since Thu 2016-05-05 10:02:45 BST; 16min ago
     Docs: man:ospfd(8)
           man:zebra(8)
 Main PID: 10613 (code=exited, status=0/SUCCESS)

$ sudo netstat -tapnl | grep ':260' > quagga.netlog
$ cat quagga.netlog
tcp        0      0 0.0.0.0:2601            0.0.0.0:*               LISTEN      10556/zebra         
tcp        0      0 0.0.0.0:2602            0.0.0.0:*               LISTEN      10590/ripd          
tcp        0      0 0.0.0.0:2603            0.0.0.0:*               LISTEN      10636/ripngd        
tcp        0      0 0.0.0.0:2604            0.0.0.0:*               LISTEN      10659/ospfd         
tcp        0      0 0.0.0.0:2605            0.0.0.0:*               LISTEN      10682/bgpd          
tcp6       0      0 :::2601                 :::*                    LISTEN      10556/zebra         
tcp6       0      0 :::2602                 :::*                    LISTEN      10590/ripd          
tcp6       0      0 :::2603                 :::*                    LISTEN      10636/ripngd        
tcp6       0      0 :::2604                 :::*                    LISTEN      10659/ospfd         
tcp6       0      0 :::2605                 :::*                    LISTEN      10682/bgpd          
[

Logged in to zebra
$ telnet localhost 2601
Tried ? and list to show commands
Router> show version
Quagga 0.99.22.4 (Router).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
Router> show history
  list
  show history
  show version
Router> show ip mroute
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, enp3s0

Tried the ipv6 services:
$ telnet ::1 2605
bgpd> who
 vty[13] connected from ::1.
bgpd> exit

$ telnet ::1 2604
ospfd> show ip ospf route
============ OSPF network routing table ============
N    192.168.1.0/24        [10] area: 0.0.0.0
                           directly attached to enp3s0
			   
ospfd> exit

Started ospf6d.
$ tail -320 /var/log/syslog | grep ospf6
May  5 11:09:23 vega watchquagga[11287]: ospf6d state -> up : connect succeeded

$ telnet localhost 2606
ospf6d@plant# show ip access-list
OSPF6:
Zebra IP access list access4
    permit 127.0.0.1/32
ospf6d@plant# show ipv6 ospf6
 OSPFv3 Routing Process (0) with Router-ID 255.1.1.1
 Running 00:18:38
 Number of AS scoped LSAs is 0
 Number of areas in this router is 1
 Area 0.0.0.0
     Number of Area scoped LSAs is 0
     Interface attached to this area: fxp0
   CGroup: /system.slice/ospf6d.service
           ââ5878 /usr/sbin/ospf6d -d

This all looks fine.

CC: (none) => tarazed25

Comment 10 Len Lawrence 2016-05-05 12:34:25 CEST 
Darn it.  Wrong bug again.