#VU10612 Double free memory error in Quagga - CVE-2018-5379


Vulnerability identifier: #VU10612

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-5379

CWE-ID: CWE-415

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quagga
Server applications / Other server solutions

Vendor: quagga.net

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Quagga BGP daemon due to double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A remote attacker can supply specially crafted input, trigger bqpd to crash and execute arbitrary code.

Mitigation
Update to version 1.2.3.

Vulnerable software versions

Quagga: 1.0.20160309 - 1.2.2

External links
https://savannah.nongnu.org/forum/forum.php?forum_id=9095

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for quagga
Gentoo update for Quagga
Red Hat update for quagga
Amazon Linux AMI update for quagga
OpenSUSE Linux update for quagga
Multiple vulnerabilities in Quagga
Debian update for quagga
Ubuntu update for Quagga
SUSE Linux update for quagga
SUSE Linux update for quagga