CVE-2006-2223: Input Validation
First published: Fri May 05 2006(Updated: )
RIPd in Quagga 0.98 and 0.99 before 20060503 does not properly implement configurations that (1) disable RIPv1 or (2) require plaintext or MD5 authentication, which allows remote attackers to obtain sensitive information (routing state) via REQUEST packets such as SEND UPDATE.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Quagga Routing Software Suite | =0.98.5 | |
| Quagga Routing Software Suite | =0.99.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://bugzilla.quagga.net/show_bug.cgi?id=261
- http://www.securityfocus.com/bid/17808
- http://secunia.com/advisories/19910
- http://secunia.com/advisories/20137
- http://www.debian.org/security/2006/dsa-1059
- http://www.gentoo.org/security/en/glsa/glsa-200605-15.xml
- http://secunia.com/advisories/20138
- http://secunia.com/advisories/20221
- http://www.redhat.com/support/errata/RHSA-2006-0525.html
- http://www.redhat.com/support/errata/RHSA-2006-0533.html
- http://securitytracker.com/id?1016204
- http://secunia.com/advisories/20420
- http://secunia.com/advisories/20421
- http://secunia.com/advisories/20782
- http://www.novell.com/linux/security/advisories/2006_17_sr.html
- http://secunia.com/advisories/21159
- http://www.osvdb.org/25224
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26243
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9985
- https://usn.ubuntu.com/284-1/
- http://www.securityfocus.com/archive/1/432823/100/0/threaded
- http://www.securityfocus.com/archive/1/432822/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2006-2223?
CVE-2006-2223 is categorized as having a medium severity, as it allows remote attackers to access sensitive routing information.
How do I fix CVE-2006-2223?
To fix CVE-2006-2223, upgrade Quagga to version 0.98.6 or 0.99.4 or later where the vulnerability is addressed.
What versions are affected by CVE-2006-2223?
The vulnerable versions of Quagga are 0.98.5 and 0.99.3.
Can CVE-2006-2223 lead to data leakage?
Yes, CVE-2006-2223 can lead to data leakage as it allows attackers to obtain sensitive routing state information through REQUEST packets.
Is there a workaround for CVE-2006-2223?
While upgrading is the best option, a potential workaround is to disable RIPv1 and enforce authentication requirements if possible.
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/type
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/first-publish-date
- agent/tags
- collector/nvd-historical
- vendor/quagga
- product/quagga
- canonical/quagga quagga
- agent/software-canonical-lookup-request
- collector/nvd-index
- canonical/quagga routing software suite
- version/quagga routing software suite/0.98.5
- version/quagga routing software suite/0.99.3