#VU10618 Infinite loop in Quagga - CVE-2018-5381


Vulnerability identifier: #VU10618

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-5381

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quagga
Server applications / Other server solutions

Vendor: quagga.net

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the Quagga BGP daemon due to improper handling of invalid OPEN messages. A remote attacker can trigger infinite loop and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Update to version 1.2.3.

Vulnerable software versions

Quagga: 1.0.20160309 - 1.2.2

External links
https://savannah.nongnu.org/forum/forum.php?forum_id=9095

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for quagga
Gentoo update for Quagga
Amazon Linux AMI update for quagga
OpenSUSE Linux update for quagga
Multiple vulnerabilities in Quagga
Debian update for quagga
Ubuntu update for Quagga
SUSE Linux update for quagga
SUSE Linux update for quagga
SUSE Linux update for quagga