oss-sec mailing list archives

Quagga: CVE-2017-16227: BGP session termination due to rather long AS paths in update messages

From: Salvatore Bonaccorso <carnil () debian org>
Date: Mon, 30 Oct 2017 21:09:27 +0100

Hi

The following issue in Quagga got assigned CVE-2017-16227:

It was discovered that the bgpd daemon in the Quagga routing suite does
not properly calculate the length of multi-segment AS_PATH UPDATE
messages, causing bgpd to drop a session and potentially resulting in
loss of network connectivity.

It was reported as https://bugs.debian.org/879474 in the Debian bugtracker, and
following up now here on oss-security. I'm going to fquote the detailed report:

there is a longstanding bug in quagga where certain BGP update messages
cause a quagga bgpd to drop a session, possibly resulting in loss of
network connectivity.

Details:

Long paths in update messages are segmented in BGP, and the bug is in
the recalculation of the framing information if there are more than two
segments. The resulting data is invalid but will will be used for
redistribution. At least if the receiver is another quagga bgpd, that
message is rejected, eventually resulting in a BGP session termination.

The receiver's log (if written) contains an error message like
| BGP: 172.23.97.181: BGP type 2 length 3074 is too large, attribute total length is 2069. attr_endp is
0x562feb368121. endp is 0x562feb367d2c
then.

So if a site's BGP peers all run quagga, that site will lose network
connectivity due to frequent session termination. Additionally, the
repeated initial full table transfer will result in a significantly
bigger network load, I've seen around 1 MByte/sec/link, compared to
usually less than one 1 kbyte/sec/link.

Such extremely long AS paths have occured in the global BGP table at
least four times since June. Last time started on Oct 13th around 20:43
UTC and lasted until the following week.

All versions of quagga in Debian are affected.

How to fix:

Kudos to Andreas Jaggi who identified the bug and provided a fix[1].
After some hours of work I was able to reproduce the issue and can
confirm this patch resolves the issues for all versions of quagga in
Debian (wheezy, jessie, stretch = buster = sid). Details about the
setup available upon request, it's just some stuff to write down.

[1] https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html
http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008


Regards,
Salvatore

Current thread:

Quagga: CVE-2017-16227: BGP session termination due to rather long AS paths in update messages Salvatore Bonaccorso (Oct 30)