ID CVE-2018-5379
Summary The Quagga BGP daemon (bgpd) prior to version 1.2.3 can double-free memory when processing certain forms of UPDATE message, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or potentially allow an attacker to execute arbitrary code.
References
Vulnerable Configurations
  • cpe:2.3:a:quagga:quagga:-:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:-:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.95:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.95:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.96:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.96:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.96.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.96.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.96.2:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.96.2:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.96.3:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.96.3:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.96.4:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.96.4:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.96.5:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.96.5:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.97.0:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.97.0:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.97.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.97.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.97.2:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.97.2:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.97.3:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.97.3:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.97.4:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.97.4:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.97.5:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.97.5:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.0:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.0:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.2:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.2:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.3:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.3:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.4:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.4:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.5:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.5:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.98.6:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.98.6:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.2:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.2:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.3:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.3:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.4:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.4:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.5:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.5:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.6:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.6:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.7:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.7:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.8:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.8:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.9:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.9:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.10:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.10:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.11:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.11:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.12:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.12:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.13:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.13:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.14:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.14:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.15:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.15:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.16:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.16:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.17:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.17:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.18:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.18:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.19:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.19:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.20:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.20:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.20.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.20.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.21:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.21:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22:-:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22:-:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22:rc1:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22:rc1:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22.2:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22.2:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22.3:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22.3:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.22.4:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.22.4:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.23:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.23:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.23.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.23.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.24:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.24:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:0.99.24.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:0.99.24.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.0.20160309:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.0.20160309:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.0.20160315:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.0.20160315:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.0.20161017:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.0.20161017:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:quagga:quagga:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:quagga:quagga:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:siemens:ruggedcom_rox_ii_firmware:*:*:*:*:*:*:*:*
    cpe:2.3:o:siemens:ruggedcom_rox_ii_firmware:*:*:*:*:*:*:*:*
  • cpe:2.3:h:siemens:ruggedcom_rox_ii:-:*:*:*:*:*:*:*
    cpe:2.3:h:siemens:ruggedcom_rox_ii:-:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 09-10-2019 - 23:41)
Impact:
Exploitability:
CWE CWE-415
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1542985
title CVE-2018-5379 quagga: Double free vulnerability in bgpd when processing certain forms of UPDATE message allowing to crash or potentially execute arbitrary code
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment quagga is earlier than 0:0.99.22.4-5.el7_4
        oval oval:com.redhat.rhsa:tst:20180377009
      • comment quagga is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100945006
    • AND
      • comment quagga-contrib is earlier than 0:0.99.22.4-5.el7_4
        oval oval:com.redhat.rhsa:tst:20180377005
      • comment quagga-contrib is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100945008
    • AND
      • comment quagga-devel is earlier than 0:0.99.22.4-5.el7_4
        oval oval:com.redhat.rhsa:tst:20180377007
      • comment quagga-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100945010
rhsa
id RHSA-2018:0377
released 2018-02-28
severity Important
title RHSA-2018:0377: quagga security update (Important)
rpms
  • quagga-0:0.99.22.4-5.el7_4
  • quagga-contrib-0:0.99.22.4-5.el7_4
  • quagga-devel-0:0.99.22.4-5.el7_4
refmap via4
bid 103105
cert-vn VU#940439
confirm
debian DSA-4115
gentoo GLSA-201804-17
mlist [debian-lts-announce] 20180216 [SECURITY] [DLA 1286-1] quagga security update
ubuntu USN-3573-1
Last major update 09-10-2019 - 23:41
Published 19-02-2018 - 13:29
Back to Top