Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2018-957

Related Vulnerabilities: CVE-2018-5379   CVE-2018-5380   CVE-2018-5381  

Infinite loop issue triggered by invalid OPEN message allows denial-of-serviceAn infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted.(CVE-2018-5381) Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary codeA double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.(CVE-2018-5379) bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crashA vulnerability was found in Quagga, in the log formatting code. Specially crafted messages sent by BGP peers could cause Quagga to read one element past the end of certain static arrays, causing arbitrary binary data to appear in the logs or potentially, a crash.(CVE-2018-5380)

Source

ALAS-2018-957

Amazon Linux AMI Security Advisory: ALAS-2018-957
Advisory Release Date: 2018-02-20 21:26 Pacific
Advisory Updated Date: 2018-02-21 20:46 Pacific
Severity: Important
Issue Overview:

Infinite loop issue triggered by invalid OPEN message allows denial-of-service
An infinite loop vulnerability was discovered in Quagga. A BGP peer could send specially crafted packets that would cause the daemon to enter an infinite loop, denying service and consuming CPU until it is restarted.(CVE-2018-5381)

Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code
A double-free vulnerability was found in Quagga. A BGP peer could send a specially crafted UPDATE message which would cause allocated blocks of memory to be free()d more than once, potentially leading to a crash or other issues.(CVE-2018-5379)

bgpd can overrun internal BGP code-to-string conversion tables potentially allowing crash
A vulnerability was found in Quagga, in the log formatting code. Specially crafted messages sent by BGP peers could cause Quagga to read one element past the end of certain static arrays, causing arbitrary binary data to appear in the logs or potentially, a crash.(CVE-2018-5380)


Affected Packages:

quagga


Issue Correction:
Run yum update quagga to update your system.

New Packages:
i686:
    quagga-devel-0.99.22.4-4.17.amzn1.i686
    quagga-0.99.22.4-4.17.amzn1.i686
    quagga-debuginfo-0.99.22.4-4.17.amzn1.i686
    quagga-contrib-0.99.22.4-4.17.amzn1.i686

src:
    quagga-0.99.22.4-4.17.amzn1.src

x86_64:
    quagga-devel-0.99.22.4-4.17.amzn1.x86_64
    quagga-debuginfo-0.99.22.4-4.17.amzn1.x86_64
    quagga-0.99.22.4-4.17.amzn1.x86_64
    quagga-contrib-0.99.22.4-4.17.amzn1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started