Description: Some vulnerabilities have been reported in Quagga, which can be exploited by malicious users to cause a DoS (Denial of Service).
The vulnerabilities are caused due to bgpd improperly handling messages sent by peers. This can be exploited to crash bgpd by sending a specially crafted "OPEN" message with an invalid message length or an invalid parameter length, or a specially crafted "UPDATE" message with a malformed "COMMUNITY" attribute.
Successful exploitation requires that the attacker is configured as peer of the target system. Successful exploitation of the "UPDATE" vulnerability requires that debugging of BGP updates is enabled.
The vulnerabilities are reported in versions prior to 0.99.9.
Solution: Fixed in unstable version 0.99.9.
Connect to trusted peers only.
Provided and/or discovered by: The vendor credits Mu Security.
Changelog: 2007-09-13: Updated advisory with additional information.
2007-09-14: Added CVE reference.
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
