SB2016040603 - Arbitrary code execution in quagga (Alpine package)
Published: April 6, 2016
Security Bulletin ID
SB2016040603
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Arbitrary code execution (CVE-ID: CVE-2016-2342)
The vulnerability allows a remote unauthenticatd user to cause arbitrary code execution on the target system.The weakness is due to buffer overflow caused by improper validation of the upper-bound length of received Labeled-VPN SAFI routes data. To exploit the vulnerability attackers can send a specially crafted packets to the system.
Successful exploitation of the weakness results in arbitrary code execution or even denial of service on the vulnerable system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=bd21f0c34fd699ed29fabb46e98b0ad0a522d5db
- https://git.alpinelinux.org/aports/commit/?id=c6a671a8d5628bd7226346d3df7acfbcc7a58973
- https://git.alpinelinux.org/aports/commit/?id=380236e60c820594a1e74395d31fb5ae19f913fc
- https://git.alpinelinux.org/aports/commit/?id=845087bdd853b2e584068d2b26ff698b29a1ce7b