Bug 19619 - quagga new security issue CVE-2016-1245
Summary: quagga new security issue CVE-2016-1245
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/703868/
Whiteboard: has_procedure MGA5-64-OK advisory MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-10-18 20:56 CEST by David Walser
Modified: 2016-11-11 23:10 CET (History)
7 users (show)

See Also:
Source RPM: quagga-0.99.24.1-4.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-10-18 20:56:34 CEST
Debian-LTS has issued an advisory today (October 18):
http://lwn.net/Alerts/703856/

Upstream announced this issue today:
https://lists.quagga.net/pipermail/quagga-users/2016-October/014478.html

A commit to fix the issue is linked in the message above.

Mageia 5 is also affected.
David Walser 2016-10-18 20:56:41 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-10-19 22:43:29 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => cjw, jani.valimaa, marja11, olav
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-10-20 17:35:42 CEST
Patched packages uploaded for Mageia 5 and Cauldron by Jani.

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=6512#c1

Advisory:
========================

Updated quagga packages fix security vulnerability:

It was discovered that the zebra daemon in the Quagga routing suite suffered
from a stack-based buffer overflow when processing IPv6 Neighbor Discovery
messages (CVE-2016-1245).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1245
https://lists.quagga.net/pipermail/quagga-users/2016-October/014478.html
https://www.debian.org/security/2016/dsa-3695
========================

Updated packages in core/updates_testing:
========================
quagga-0.99.22.4-4.3.mga5
quagga-contrib-0.99.22.4-4.3.mga5
libquagga0-0.99.22.4-4.3.mga5
libquagga-devel-0.99.22.4-4.3.mga5

from quagga-0.99.22.4-4.3.mga5.src.rpm

Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => has_procedure

Comment 3 Len Lawrence 2016-10-27 17:48:52 CEST
Running this on x86_64 hardware.
Unlikely to find a way to test the vulnerability so this will be a functionality test only.

CC: (none) => tarazed25

Comment 4 Len Lawrence 2016-10-27 20:30:14 CEST
Installed the updates and followed Dave and Claire's instructions.

# systemctl start zebra.service
# systemctl start babeld.service
Failed to start babeld.service: Unit babeld.service failed to load: No such file or directory.
# systemctl start bgpd
# systemctl start ospfd
# systemctl start ripngd
# systemctl start ripd

Start watchquagga in daemon mode to keep track of the various services.
# watchquagga -d zebra bgpd ospfd ripngd ripd ospf6d
# tail /var/log/syslog
Oct 27 18:38:00 vega watchquagga[6820]: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ripngd ripd ospf6d], mode [monitor]
Oct 27 18:38:00 vega watchquagga[6820]: ripngd state -> up : connect succeeded
Oct 27 18:38:00 vega watchquagga[6820]: zebra state -> up : connect succeeded
Oct 27 18:38:00 vega watchquagga[6820]: ospfd state -> up : connect succeeded
Oct 27 18:38:00 vega watchquagga[6820]: ripd state -> up : connect succeeded
Oct 27 18:38:01 vega watchquagga[6820]: bgpd state -> up : connect succeeded
Oct 27 18:38:01 vega watchquagga[6820]: ospf6d state -> down : initial connection attempt failed
# systemctl start ospf6d.service
# tail /var/log/syslog
Oct 27 18:40:56 vega watchquagga[6820]: ospf6d state -> up : connect succeeded
# netstat -tapnl|grep ':26'
< expected output >
# telnet localhost 2601
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password: ..... 
Router> ?
< displayed help />
Router> enable
Password: 
Router#
< played with a few commands.
  Note that the exit and quit commands close the telnet connection.
  In privileged mode this should revert to normal mode.
  Looks like a bug or an error in the documentation.
/>  
# telnet localhost 2606
Trying 127.0.0.1...
...................
Hello, this is Quagga (version 0.99.22.4).
..................
Password: 
ospf6d@plant# quit

Not at all clear how to use these commands properly.

# telnet localhost ::1 2606
Usage: telnet [-8] [-E] [-K] [-L] [-G] [-S tos] [-X atype] [-a] [-c] [-d] [-e char]
	[-k realm] [-l user] [-f/-F] [-n tracefile] [-r] [-x] [host-name [port]]
< That used to work, with the earlier version />

I shall continue probing this.  Need to find out why telnet is not connecting to a specified service.
Comment 5 Len Lawrence 2016-11-01 22:47:02 CET
Trying individual ports in succession:
$ telnet localhost 2602
..........
ripd> quit
$ telnet localhost 2603
Trying 127.0.0.1...
...............
ripngd> quit
$ telnet localhost 2604
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
$ netstat -tapnl|grep ':26'
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:2601            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:2602            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:2603            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:2605            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::2601                 :::*                    LISTEN      -                   
tcp6       0      0 :::2602                 :::*                    LISTEN      -                   
tcp6       0      0 :::2603                 :::*                    LISTEN      -                   
tcp6       0      0 :::2605                 :::*                    LISTEN      -         
$ telnet localhost 2605
........................
bgpd> quit

The man pages for telnet do not say anything specific about ipv6 or tcp6 and nothing about the ::1 form used in previous tests.
Comment 6 Len Lawrence 2016-11-02 19:50:50 CET
Of course, the telnet sysntax was wrong - this succeeded in accessing the ipv6 ports:
# telnet ::1 2602
Trying ::1...
Connected to ::1.
Escape character is '^]'.
Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
......
ripd> show ip access-list
% [RIP] Unknown command: show ip access-list
ripd> enable
ripd# show ip access-list
RIP:
ripd#  show memory all
System allocator statistics:
  Total heap allocated:  528 KiB
  Holding block headers: 0 bytes
  Used small blocks:     0 bytes
  Used ordinary blocks:  420 KiB
  Free small blocks:     32 bytes
  Free ordinary blocks:  108 KiB
  Ordinary blocks:       3
  Small blocks:          1
  Holding blocks:        0
(see system documentation for 'mallinfo' for meaning)
-----------------------------
Temporary memory              :          1
String vector                 :       4145
Vector                        :       2161
Vector index                  :       2161
Link List                     :          8
.......
ripd# exit
Connection closed by foreign host.

Logged in to zebra:
# telnet localhost 2601
......
Router> show ip mroute
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route

C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, enp3s0
C>* 192.168.122.0/24 is directly connected, virbr0

# netstat -tapnl | grep ':260' > quagga.netlog
# cat quagga.netlog
# cat quagga.netlog
tcp        0      0 0.0.0.0:2601            0.0.0.0:*               LISTEN      13529/zebra         
tcp        0      0 0.0.0.0:2602            0.0.0.0:*               LISTEN      13595/ripd          
tcp        0      0 0.0.0.0:2603            0.0.0.0:*               LISTEN      13594/ripngd        
tcp        0      0 0.0.0.0:2604            0.0.0.0:*               LISTEN      13118/ospfd         
tcp        0      0 0.0.0.0:2605            0.0.0.0:*               LISTEN      13622/bgpd          
tcp        0      0 127.0.0.1:2601          127.0.0.1:39520         TIME_WAIT   -                   
tcp6       0      0 :::2601                 :::*                    LISTEN      13529/zebra         
tcp6       0      0 :::2602                 :::*                    LISTEN      13595/ripd          
tcp6       0      0 :::2603                 :::*                    LISTEN      13594/ripngd        
tcp6       0      0 :::2604                 :::*                    LISTEN      13118/ospfd         
tcp6       0      0 :::2605                 :::*                    LISTEN      13622/bgpd          

Stopped a couple of services and:
# watchquagga -d zebra bgpd ospfd ripngd ripd ospf6d
# tail /var/log/syslog
Nov  2 18:47:36 vega watchquagga[20682]: watchquagga 0.99.22.4 watching [zebra bgpd ospfd ripngd ripd ospf6d], mode [monitor]
Nov  2 18:47:36 vega watchquagga[20682]: bgpd state -> up : connect succeeded
Nov  2 18:47:36 vega watchquagga[20682]: zebra state -> up : connect succeeded
Nov  2 18:47:36 vega watchquagga[20682]: ospf6d state -> down : initial connection attempt failed
Nov  2 18:47:36 vega watchquagga[20682]: ripngd state -> down : initial connection attempt failed
Nov  2 18:47:37 vega watchquagga[20682]: ripd state -> up : connect succeeded
Nov  2 18:47:37 vega watchquagga[20682]: ospfd state -> up : connect succeeded

As far as I can tell this is all healthy.  Giving it the OK.
Len Lawrence 2016-11-02 19:51:08 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 7 Lewis Smith 2016-11-03 08:10:32 CET
Thanks yet again Len for non-trivial testing. Advisory uploaded.

CC: (none) => lewyssmith
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisory

Comment 8 Len Lawrence 2016-11-10 20:17:41 CET
i586 vbox tests coming up later.
Comment 9 Len Lawrence 2016-11-10 23:01:21 CET
i586 vbox
Installed the latest packages from core updates and gave quagga a run.
Started zebra and a couple of quagga services then watchquagga on the command line.

The first problem was no syslog.  There did not seem to be a syslog daemon but MCC -> system -> services showed that there was a service called rsyslog doing nothing.  After starting that /var/log/syslog appeared.
syslog reported that it could not make connections to the subsidiary services but zebra was OK.

This is unexpected.  Proceeding with the update to see if things improve.
Ran the update and tried again.  No improvement.

Going to try this on the 32bit install of mga5 on a 64bit laptop.
Comment 10 Len Lawrence 2016-11-11 00:15:31 CET
Things did not improve but I noted in the service status reports references to missing conf files and checking back on Claire's procedure discovered that there is some preliminary configuration needed in /etc, something which had been done months ago on the updates testing machine but not in any other system.  Had completely forgotten about that so shall restart the tests tomorrow.

Sorry about that.  I should have repeated the preconfiguration steps in my earlier report.  (wilcal nods his head knowingly)
Comment 11 Len Lawrence 2016-11-11 12:15:49 CET
Right.  Post-update tests now work as they should but there is a complication.  There is a shell associated with quagga, which is new to me but may have been part of the package all along.  It manifested itself  on an attempt to access zebra via localhost.
# telnet localhost 2601
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Vty password is not set.
Connection closed by foreign host.

I found some documentation here:
https://openmaniak.com/quagga_tutorial.php#vtysh
which is Debian oriented.  There is a hint that vtysh can be enabled/disabled but somehow it has been enabled by default in our latest round.  It can be used to issue general commands like those listed for the various quagga services; e.g.

# vtysh -c "show ip route"
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, A - Babel,
       > - selected route, * - FIB route

K>* 0.0.0.0/0 via 192.168.1.1, enp3s0
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.1.0/24 is directly connected, enp3s0

/etc/quagga contains vtysh.conf and a sample config.  It is necessary to copy the sample into vtysh.conf and uncomment the two lines:
!hostname quagga-router
!username root nopassword

# telnet localhost 2601
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
Hello, this is Quagga (version 0.99.22.4).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Password: 
localhost> ....
localhost> exit

# telnet ::1 2606
Trying ::1...
Connected to localhost (::1).
.................
User Access Verification
Password: 
ospf6d@plant# ....

The password in these cases is the one set for the zebra service (aka quagga).

The 32bit update is now ready for validation.

The procedure documentation needs to be tidied up a bit.  Shall work on that in the background.
Len Lawrence 2016-11-11 12:18:36 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-64-OK advisory => has_procedure MGA5-64-OK advisory MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2016-11-11 23:10:07 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0374.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.