CVE-2016-2342
quagga: VPNv4 NLRI parser memcpys to stack on unchecked length
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The bgp_nlri_parse_vpnv4 function in bgp_mplsvpn.c in the VPNv4 NLRI parser in bgpd in Quagga before 1.0.20160309, when a certain VPNv4 configuration is used, relies on a Labeled-VPN SAFI routes-data length field during a data copy, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted packet.
La función bgp_nlri_parse_vpnv4 en bgp_mplsvpn.c en el intérprete VPNv4 NLRI en bgpd en Quagga en versiones anteriores a 1.0.20160309, cuando se utiliza una determinada configuración VPNv4, confía en un campo de longitud de datos de rutas Labeled-VPN SAFI durante un copiado de datos, lo que permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (desbordamiento de buffer basado en pila) a través de un paquete manipulado.
A stack-based buffer overflow flaw was found in the way the Quagga BGP routing daemon (bgpd) handled Labeled-VPN SAFI routes data. A remote attacker could use this flaw to crash the bgpd daemon resulting in denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-02-12 CVE Reserved
- 2016-03-17 CVE Published
- 2023-06-18 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-121: Stack-based Buffer Overflow
CAPEC
References (13)
| URL | Tag | Source |
|---|---|---|
| http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=a3bc7e9400b214a0f078fdb19596ba54214a1442 | X_refsource_confirm | |
| http://nongnu.askapache.com//quagga/quagga-1.0.20160309.changelog.txt | X_refsource_confirm | |
| http://www.kb.cert.org/vuls/id/270232 | Third Party Advisory |
|
| http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/84318 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2016-03/msg00102.html | 2018-01-05 | |
| http://lists.opensuse.org/opensuse-updates/2016-03/msg00117.html | 2018-01-05 | |
| http://rhn.redhat.com/errata/RHSA-2017-0794.html | 2018-01-05 | |
| http://www.debian.org/security/2016/dsa-3532 | 2018-01-05 | |
| http://www.ubuntu.com/usn/USN-2941-1 | 2018-01-05 | |
| https://security.gentoo.org/glsa/201610-03 | 2018-01-05 | |
| https://access.redhat.com/security/cve/CVE-2016-2342 | 2017-03-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1316571 | 2017-03-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Quagga Search vendor "Quagga" | Quagga Search vendor "Quagga" for product "Quagga" | 0.99.24 Search vendor "Quagga" for product "Quagga" and version "0.99.24" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||