Info

Disclosure

Mar 29, 2006

Discovery

Unknown

Dates

Exploit

Mar 29, 2006

Solution

Unknown

Description

Quagga contains a flaw that may allow a local denial of service. The issue is triggered when certain crafted input is passed to the 'sh ip bgp community' command, and will result in loss of availability for the platform by using all up CPU resources.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 0.98.6, 0.99.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Quagga	Quagga	0.98.5
		0.99.3

References

CVE ID: 2006-2276 (see also: NVD)
Secunia Advisory ID: 20137 20138 20221 20420 20421 20782
Related OSVDB ID: 25224 25225
Other Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20060602-01-U.asc
Mail List Post: http://lists.quagga.net/pipermail/quagga-dev/2006-March/004052.html
Vendor Specific Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200605-15.xml
http://www.ubuntu.com/usn/usn-284-1
http://www.us.debian.org/security/2006/dsa-1059
Vendor Specific News/Changelog Entry: http://www.quagga.net/news2.php?y=2006&m=5&d=4#id1146764580
RedHat RHSA: RHSA-2006:0525 RHSA-2006:0533

Credit

Fredrik Widell - fredriksunet.se -

Direct URL: http://osvdb.org/25245