Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 132353 - net-misc/quagga RIPv1 route injection bypasses authentication?
Summary: net-misc/quagga RIPv1 route injection bypasses authentication?
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugzilla.quagga.net/show_bug.c...
Whiteboard: C3 [glsa] jaervosz
Keywords:
: 134003 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-05-05 08:27 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-05-22 00:42 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Always show interfaces in ripd (ripd-show-ifaces.diff,1016 bytes, patch)
2006-05-11 08:24 UTC, Guy Martin (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-05 08:27:59 UTC
RIPd accepts RIPv1 RESPONSE packets and updates its routing state, even when
RIPv2 authentication has been enabled.

This can occur where:

- both version 1 and 2 are allowed
- no version control is specified (default version control allows both)

Best practice ought to be to at least to refuse to update routing state via
unauthenticated packets when authentication is enabled, however we can still
honour REQUESTs safely.


The RFCs suggest disabling RIPv1 altogether when v2 authentication
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2006-05-09 10:09:06 UTC
Patches at URL, please bump ?
Comment 2 Alin Năstac (RETIRED) gentoo-dev 2006-05-10 00:21:25 UTC
bumped to 0.98.6. 
I didn't had the time to test it on my router yet.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-10 09:12:26 UTC
Arches please test and mark stable.
Comment 4 Alin Năstac (RETIRED) gentoo-dev 2006-05-10 10:43:27 UTC
I've installed it on my router (x86) and it works as expected.
However, I don't use RIP, only BGP.
Comment 5 Guy Martin (RETIRED) gentoo-dev 2006-05-10 23:23:48 UTC
This sounds buggy.

I got bgp, ospf, ospf6 and ripv2 running on my hppa and rip doesn't work anymore.

My config being the following :

router rip
 version 2
 network eth1
 passive-interface eth0

I've this in my debug :
RIP: RECV packet from 172.21.1.250 port 520 on eth1
RIP: RECV RESPONSE version 2 packet size 44
RIP:   172.24.0.0/24 -> 0.0.0.0 family 2 tag 0 metric 1
RIP:   172.24.0.0/16 -> 0.0.0.0 family 2 tag 0 metric 1
RIP: RIPv2 dropped because authentication enabled

after receiving the following packet :
IP (tos 0x0, ttl  64, id 25922, offset 0, flags [none], proto: UDP (17), length: 72) 172.21.1.250.520 > 172.21.1.255.520: [udp sum ok] 
        RIPv2, Response, length: 44, routes: 2
          AFI: IPv4:      172.24.0.0/24, tag 0x0000, metric: 1, next-hop: self
          AFI: IPv4:      172.24.0.0/16, tag 0x0000, metric: 1, next-hop: self
        0x0000:  0202 0000 0002 0000 ac18 0000 ffff ff00
        0x0010:  0000 0000 0000 0001 0002 0000 ac18 0000
        0x0020:  ffff 0000 0000 0000 0000 0001




And of course the route doesn't get used. This was working fine before.

Maybe I'm missing something but this sounds wrong.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-11 00:17:47 UTC
Back to ebuild to resolve this.

Alin any comments?
Comment 7 Alin Năstac (RETIRED) gentoo-dev 2006-05-11 00:50:07 UTC
try to add "no ip rip authentication" to your configuration.
Comment 8 Guy Martin (RETIRED) gentoo-dev 2006-05-11 01:17:06 UTC
I went back to 0.98.5-r3 and it worked again.

I receive the correct debug :

RIP: SEND UPDATE to eth1 ifindex 4
RIP: multicast announce on eth1 
RIP: update routes on interface eth1 ifindex 4
RIP: RECV packet from 172.21.1.250 port 520 on eth1
RIP: RECV RESPONSE version 2 packet size 44
RIP:   172.24.0.0/24 -> 0.0.0.0 family 2 tag 0 metric 1
RIP:   172.24.0.0/16 -> 0.0.0.0 family 2 tag 0 metric 1


I've looked to disable authentication of course but by default it's disabled.

hulk(config-if)# no ip rip authentication 
% Command incomplete.
hulk(config-if)# no ip rip authentication key-chain 
  LINE  name of key-chain
  <cr>  
hulk(config-if)# no ip rip authentication key-chain 
hulk(config-if)# no ip rip authentication mode 
  md5   Keyed message digest
  text  Clear text authentication
  <cr>  
hulk(config-if)# no ip rip authentication mode 
hulk(config-if)# no ip rip authentication string 
  LINE  Authentication string
  <cr>  
hulk(config-if)# no ip rip authentication string 
hulk(config-if)# 


After this, my config was unchanged. Will try with the -0.98.6 once it's merged again :)
Comment 9 Guy Martin (RETIRED) gentoo-dev 2006-05-11 04:54:18 UTC
I'm discussing with the quagga devs.

Normally, we should see that authentication is set to md5 by default.
However this doesn't appear in sh run and in the file when you save it.

The default authentication has been changed in this release.


Alin, as you sugested, issuing "no ip rip authentication mode" on the interface fix the issue and my routes get updated. However, accoring quagga devs, it should display it in the config.


I'm still investigating right now. A workaround would be to change the default authentication to RIP_NO_AUTH in rip_interface_new() and rip_interface_reset().
This way, not having authentication information in the config match what we expect.

Comment 10 Alin Năstac (RETIRED) gentoo-dev 2006-05-11 05:06:51 UTC
Yeah, I've saw it too. The strange thing is 0.98.5 has the exact same rip_interface_new() and rip_interface_reset().
Please change default authentication set in those function to RIP_NO_AUTH and tell me if it worked.
Comment 11 Guy Martin (RETIRED) gentoo-dev 2006-05-11 08:24:13 UTC
Created attachment 86611 [details, diff]
Always show interfaces in ripd

This is the diff that paul from #quagga@freenode came with.

It's working fine and fully fix all the aspects of the issue.
Comment 12 Alin Năstac (RETIRED) gentoo-dev 2006-05-11 09:45:58 UTC
Fixed in 0.98.6-r1. (thanks for your help, Guy!)
Arches, please do your thing.
Comment 13 Guy Martin (RETIRED) gentoo-dev 2006-05-11 10:32:03 UTC
Working like a charm on hppa.
Comment 14 Joshua Jackson (RETIRED) gentoo-dev 2006-05-11 21:27:27 UTC
Its a nice pizza pie of stablility on x86. (^.^) I need to not play mario while commiting.
Comment 15 Thomas Cort (RETIRED) gentoo-dev 2006-05-12 16:51:42 UTC
alpha stable.
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2006-05-14 09:54:53 UTC
ppc stable
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2006-05-14 10:05:03 UTC
I tend to vote no, I don't understand it :)
Comment 18 Alin Năstac (RETIRED) gentoo-dev 2006-05-14 10:19:26 UTC
Put it simple, the RIP daemon (responsible with route exchange with other RIP routers) could accept IP routes without properly authenticate the source of those routes.
It is pretty big if your network works on RIP. This protocol is the simplest of its kind, much more simpler to setup than OSPF or BGP, therefore I assume the RIP users are more numerous than other the users of other 2 protocols put together.

Also note that 0.98.6 don't solve only this security issue, it also solve a BGP DoS problem (see http://www.quagga.net):
  - bgpd Telnet Interface DoS (OSVDB ID 25245).

Please issue a GLSA on this one.
Comment 19 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-14 11:52:00 UTC
(In reply to comment #18)
> Please issue a GLSA on this one.
Ok, you'Ve got my vote: yes for a glsa

Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-14 15:09:18 UTC
i would vote a half-no :
- the configuration needed is very specific (unless i'm wrong)
- internet routing is known to be sensitive : RIPd administrators are usually very advanced users. This kind of configuration might not happen.
- the bug says that RFC discourages such a configuration.
Comment 21 Alin Năstac (RETIRED) gentoo-dev 2006-05-14 22:23:23 UTC
Even the BGP bug alone (http://www.osvdb.org/displayvuln.php?osvdb_id=25245) would be more than enough to justify a GLSA.

Comment 22 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-05-14 22:35:58 UTC
Lets have a GLSA on this one.
Comment 23 Wolf Giesen (RETIRED) gentoo-dev 2006-05-15 22:09:59 UTC
I didn't really get a grip on the version bump; so 0.98.6-r1 is supposed to fix all three CVEs 2223, 2224 and 2276?
Comment 24 Wolf Giesen (RETIRED) gentoo-dev 2006-05-15 22:28:16 UTC
Sorry for spamming here, but this is hard to figure out with the sources supplied. To me it looks like the default ripd configuration is to allow RIPv1 _and_ RIPv2, even if v2 MD5 auth is on. Thus the problem would be that v1 is not automatically disabled once authentication has been configured?
Comment 25 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-21 11:08:59 UTC
GLSA 200605-15

Thanks everybody
Comment 26 Dax 2006-05-22 00:42:55 UTC
*** Bug 134003 has been marked as a duplicate of this bug. ***