First published: Tue Oct 18 2016(Updated: )
A buffer overflow exists in the IPv6 (Router Advertisement) code in Zebra. The issue can be triggered on an IPv6 address where the Quagga daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message. The issue leads to a crash of the zebra daemon. In specific circumstances this vulnerability may allow remote code execution. Upstream patch: <a href="https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546">https://github.com/Quagga/quagga/commit/cfb1fae25f8c092e0d17073eaf7bd428ce1cd546</a> References: <a href="http://www.gossamer-threads.com/lists/quagga/users/31952">http://www.gossamer-threads.com/lists/quagga/users/31952</a> Workarounds: Disable IPv6 neighbor discovery announcements on all interfaces ("ipv6 nd suppress-ra" configured under all interfaces). Make sure to have it disabled on ALL interfaces.
Credit: security@debian.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/Quagga | <1.0.20161017 | 1.0.20161017 |
debian/quagga | 1.2.4-3 | |
debian/quagga | <=0.99.22.4-1<=0.99.23.1-1 | 0.99.22.4-1+wheezy3+deb7u1 0.99.23.1-1+deb8u3 1.0.20160315-3 |
Quagga Quagga | <=1.0.20160315 | |
Debian Debian Linux | =8.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.