Mu Security discovers zero-day Quagga bgpd Remote Denial of Service Vulnerability
SUNNYVALE, Calif. -- Mu Security, a pioneer in the new security analyzer market, has discovered and helped remediate a new 0-day Quagga bgpd Remote Denial of Service Vulnerability -- http://labs.musecurity.com/advisories.html
Affected Products/Versions: Quagga 0.99.8
Product Overview: Quagga is a routing software suite. Quagga bgpd implements the Border Gateway routing Protocol (BGP), the core routing protocol of the Internet. Very large private IP networks also often make use of BGP. http://www.quagga.net/
Vulnerability Details: There are two 0-day vulnerabilities. In both vulnerabilities, the attacker must be a configured peer. A BGP OPEN message with an invalid message length and a valid option parameters length (or vice versa) from a configured peer can cause an assertion failure in the stream library. An empty or malformed COMMUNITIES attribute in an UPDATE from a configured peer can cause a NULL pointer dereference when the attribute is printed if "debug bgp updates" is enabled.
Vendor Response / Solution: Update to 0.99.9, available from http://www.quagga.net/
History:
August 29, 2007— Mu Labs first contacted vendor
August 30, 2007—Vendor acknowledges vulnerability
August 31, 2007—Second issue reported
September 1, 2007—Vendor acknowledges second vulnerability
September 7, 2007—Vendor releases 0.99.9
September 12, 2007—Advisory released
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024