CVE-2017-16227

Summary

CVE	CVE-2017-16227
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-10-29 20:29:00 UTC
Updated	2017-11-18 16:16:00 UTC
Description	The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Quagga	Quagga	All	All	All	All

References

Reference	Source	Link	Tags
404 Not Found	MISC	download.savannah.gnu.org	Issue Tracking, Third Party Advisory
#879474 - quagga-bgpd: CVE-2017-16227: BGP session termination due to rather long AS paths in update messages - Debian Bug report logs	MISC	bugs.debian.org	Issue Tracking, Patch, Third Party Advisory
Debian -- Security Information -- DSA-4011-1 quagga	DEBIAN	www.debian.org	Issue Tracking, Third Party Advisory
[quagga-dev 16660] [PATCH] bgpd: fix length calculation of multi-segment AS_PATH UPDATE messages	MISC	lists.quagga.net	Issue Tracking, Patch, Third Party Advisory
quagga.git - quagga	MISC	git.savannah.gnu.org	Issue Tracking, Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.