#VU10615 Memory corruption in Quagga - CVE-2017-5495

Cybersecurity Help s.r.o.

Published: 2018-02-16 | Updated: 2018-02-19

Vulnerability identifier: #VU10615

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-5495

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quagga
Server applications / Other server solutions

Vendor: quagga.net

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unbounded memory allocation in the telnet 'vty' CLI. A remote attacker able to connect to the TCP ports can send very long strings without a newline, cause the Quagga daemon to allocate unbounded memory and system crash.

Mitigation
Update to version 1.1.

Vulnerable software versions

Quagga: 1.0.20160309 - 1.1.0

External links
https://savannah.nongnu.org/forum/forum.php?forum_id=8783

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Quagga

Debian update for quagga

Ubuntu update for Quagga

SUSE Linux update for quagga

Ubuntu update for Quagga

SUSE Linux update for quagga

Memory corruption in quagga (Alpine package)