Mu Security Discovers Zero-Day Bug

Mu Security discovers zero-day Quagga bgpd Remote Denial of Service Vulnerability

Dark Reading Staff, Dark Reading

September 14, 2007

1 Min Read

SUNNYVALE, Calif. -- Mu Security, a pioneer in the new security analyzer market, has discovered and helped remediate a new 0-day Quagga bgpd Remote Denial of Service Vulnerability --

Affected Products/Versions: Quagga 0.99.8

Product Overview: Quagga is a routing software suite. Quagga bgpd implements the Border Gateway routing Protocol (BGP), the core routing protocol of the Internet. Very large private IP networks also often make use of BGP.

Vulnerability Details: There are two 0-day vulnerabilities. In both vulnerabilities, the attacker must be a configured peer. A BGP OPEN message with an invalid message length and a valid option parameters length (or vice versa) from a configured peer can cause an assertion failure in the stream library. An empty or malformed COMMUNITIES attribute in an UPDATE from a configured peer can cause a NULL pointer dereference when the attribute is printed if "debug bgp updates" is enabled.

Vendor Response / Solution: Update to 0.99.9, available from


  • August 29, 2007— Mu Labs first contacted vendor
    August 30, 2007—Vendor acknowledges vulnerability
    August 31, 2007—Second issue reported
    September 1, 2007—Vendor acknowledges second vulnerability
    September 7, 2007—Vendor releases 0.99.9
    September 12, 2007—Advisory released

Mu Security Inc.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights