CVE-2016-2342

Published on: 03/17/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:16 PM UTC

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Debian Linux from Debian contain the following vulnerability:

The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.

  • CVE-2016-2342 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.1 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK HIGH NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.6 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK HIGH NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
COMPLETE COMPLETE COMPLETE

CVE References

Description Tags Link
Oracle Solaris Bulletin - April 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Quagga: Arbitrary code execution (GLSA 201610-03) — Gentoo Security security.gentoo.org
text/html
URL Logo GENTOO GLSA-201610-03
openSUSE-SU-2016:0863-1: moderate: Security update for quagga lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0863
Vulnerability Note VU#270232 - Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability Third Party Advisory
US Government Resource
www.kb.cert.org
text/html
URL Logo CERT-VN VU#270232
Debian -- Security Information -- DSA-3532-1 quagga www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3532
openSUSE-SU-2016:0888-1: moderate: Security update for quagga lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:0888
Quagga CVE-2016-2342 Stack Buffer Overflow Vulnerability cve.report (archive)
text/html
URL Logo BID 84318
USN-2941-1: Quagga vulnerabilities | Ubuntu www.ubuntu.com
text/html
URL Logo UBUNTU USN-2941-1
quagga.git - quagga web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:0794
404 Not Found nongnu.askapache.com
text/html
Inactive LinkNot Archived
URL Logo CONFIRM nongnu.askapache.com//quagga/quagga-1.0.20160309.changelog.txt

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
DebianDebian Linux7.0AllAllAll
Operating
System
DebianDebian Linux8.0AllAllAll
Operating
System
DebianDebian Linux7.0AllAllAll
Operating
System
DebianDebian Linux8.0AllAllAll
ApplicationQuaggaQuagga0.99.24AllAllAll
ApplicationQuaggaQuagga0.99.24AllAllAll
  • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:quagga:quagga:0.99.24:*:*:*:*:*:*:*:
  • cpe:2.3:a:quagga:quagga:0.99.24:*:*:*:*:*:*:*: