Software Engineering Institute

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2018-5378 (Quagga-2018-0543)

The Quagga BGP daemon, bgpd, does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or it may crash.

CWE-415: Double Free - CVE-2018-5379 (Quagga-2018-1114)

The Quagga BGP daemon, bgpd, can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes.

CWE-125: Out-of-bounds Read - CVE-2018-5380 (Quagga-2018-1550)

The Quagga BGP daemon, bgpd, can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

CWE-228: Improper Handling of Syntactically Invalid Structure - CVE-2018-5381 (Quagga-2018-1975)

The Quagga BGP daemon, bgpd, had a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI.

For more information, please see Quagga's version 1.2.3 release announcement.

The CVSS score below is based on CVE-2018-5379.

An unauthenticated, remote attacker may be able to use crafted input to result in a crash of bgpd or even allow a remote attacker to gain control of an affected bgpd process.

Apply an update

Quagga has released bgpd version 1.2.3 to address these issues. Affected users should apply an update as soon as possible.