Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 626436 (CVE-2017-3224) - net-misc/quagga:OSPF implementation improperly determines LSA recency
Summary: net-misc/quagga:OSPF implementation improperly determines LSA recency
Status: RESOLVED WONTFIX
Alias: CVE-2017-3224
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.kb.cert.org/vuls/id/793496
Whiteboard: C3 [upstream/cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-28 13:59 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2018-11-25 00:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-28 13:59:25 UTC
From URL:

Overview
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.

Impact
Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Solution
Install Updates

The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.
Comment 1 D'juan McDonald (domhnall) 2017-08-30 04:05:17 UTC
Upstream Bug/Proposed Patch:(https://bugzilla.quagga.net/show_bug.cgi?id=493)

CVE Source:(http://www.kb.cert.org/vuls/id/793496)
Comment 2 Sergey Popov gentoo-dev Security 2017-09-06 17:03:16 UTC
Bug 493 on bugzilla.quagga.net has nothing to do with this issue

RedHat guys closed this as WONTFIX, upstream seems not care at all, our move - ?
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2017-09-06 22:11:10 UTC
Sergey, your call as a maintainer and considering red-hat closed with "Wont Fix", up to you if you want to do the same. Considering that upstream doe snot care, we can leave it as a trackable open, or close it as Red-Hat has done.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-11-25 00:05:54 UTC
So many other hardening measures to protect against this.