Vulnerability Details CVE-2018-5381
The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its parsing of "Capabilities" in BGP OPEN messages, in the bgp_packet.c:bgp_capability_msg_parse function. The parser can enter an infinite loop on invalid capabilities if a Multi-Protocol capability does not have a recognized AFI/SAFI, causing a denial of service.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.101
EPSS Ranking 92.7%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.0
References
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://www.kb.cert.org/vuls/id/940439
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt
- https://lists.debian.org/debian-lts-announce/2018/02/msg00021.html
- https://security.gentoo.org/glsa/201804-17
- https://usn.ubuntu.com/3573-1/
- https://www.debian.org/security/2018/dsa-4115
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095
- http://www.kb.cert.org/vuls/id/940439
- https://cert-portal.siemens.com/productcert/pdf/ssa-451142.pdf
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-1975.txt
- https://lists.debian.org/debian-lts-announce/2018/02/msg00021.html
- https://security.gentoo.org/glsa/201804-17
- https://usn.ubuntu.com/3573-1/
- https://www.debian.org/security/2018/dsa-4115
Products affected by CVE-2018-5381
-
cpe:2.3:a:quagga:quagga:-
-
cpe:2.3:a:quagga:quagga:0.95
-
cpe:2.3:a:quagga:quagga:0.96
-
cpe:2.3:a:quagga:quagga:0.96.1
-
cpe:2.3:a:quagga:quagga:0.96.2
-
cpe:2.3:a:quagga:quagga:0.96.3
-
cpe:2.3:a:quagga:quagga:0.96.4
-
cpe:2.3:a:quagga:quagga:0.96.5
-
cpe:2.3:a:quagga:quagga:0.97.0
-
cpe:2.3:a:quagga:quagga:0.97.1
-
cpe:2.3:a:quagga:quagga:0.97.2
-
cpe:2.3:a:quagga:quagga:0.97.3
-
cpe:2.3:a:quagga:quagga:0.97.4
-
cpe:2.3:a:quagga:quagga:0.97.5
-
cpe:2.3:a:quagga:quagga:0.98.0
-
cpe:2.3:a:quagga:quagga:0.98.1
-
cpe:2.3:a:quagga:quagga:0.98.2
-
cpe:2.3:a:quagga:quagga:0.98.3
-
cpe:2.3:a:quagga:quagga:0.98.4
-
cpe:2.3:a:quagga:quagga:0.98.5
-
cpe:2.3:a:quagga:quagga:0.98.6
-
cpe:2.3:a:quagga:quagga:0.99.1
-
cpe:2.3:a:quagga:quagga:0.99.10
-
cpe:2.3:a:quagga:quagga:0.99.11
-
cpe:2.3:a:quagga:quagga:0.99.12
-
cpe:2.3:a:quagga:quagga:0.99.13
-
cpe:2.3:a:quagga:quagga:0.99.14
-
cpe:2.3:a:quagga:quagga:0.99.15
-
cpe:2.3:a:quagga:quagga:0.99.16
-
cpe:2.3:a:quagga:quagga:0.99.17
-
cpe:2.3:a:quagga:quagga:0.99.18
-
cpe:2.3:a:quagga:quagga:0.99.19
-
cpe:2.3:a:quagga:quagga:0.99.2
-
cpe:2.3:a:quagga:quagga:0.99.20
-
cpe:2.3:a:quagga:quagga:0.99.20.1
-
cpe:2.3:a:quagga:quagga:0.99.21
-
cpe:2.3:a:quagga:quagga:0.99.22
-
cpe:2.3:a:quagga:quagga:0.99.22.1
-
cpe:2.3:a:quagga:quagga:0.99.22.2
-
cpe:2.3:a:quagga:quagga:0.99.22.3
-
cpe:2.3:a:quagga:quagga:0.99.22.4
-
cpe:2.3:a:quagga:quagga:0.99.23
-
cpe:2.3:a:quagga:quagga:0.99.23.1
-
cpe:2.3:a:quagga:quagga:0.99.24
-
cpe:2.3:a:quagga:quagga:0.99.24.1
-
cpe:2.3:a:quagga:quagga:0.99.3
-
cpe:2.3:a:quagga:quagga:0.99.4
-
cpe:2.3:a:quagga:quagga:0.99.5
-
cpe:2.3:a:quagga:quagga:0.99.6
-
cpe:2.3:a:quagga:quagga:0.99.7
-
cpe:2.3:a:quagga:quagga:0.99.8
-
cpe:2.3:a:quagga:quagga:0.99.9
-
cpe:2.3:a:quagga:quagga:1.0.20160309
-
cpe:2.3:a:quagga:quagga:1.0.20160315
-
cpe:2.3:a:quagga:quagga:1.0.20161017
-
cpe:2.3:a:quagga:quagga:1.1.0
-
cpe:2.3:a:quagga:quagga:1.1.1
-
cpe:2.3:a:quagga:quagga:1.2.0
-
cpe:2.3:a:quagga:quagga:1.2.1
-
cpe:2.3:a:quagga:quagga:1.2.2
-
cpe:2.3:h:siemens:ruggedcom_rox_ii:-
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:17.10
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:siemens:ruggedcom_rox_ii_firmware:-
-
cpe:2.3:o:siemens:ruggedcom_rox_ii_firmware:2.10.0
-
cpe:2.3:o:siemens:ruggedcom_rox_ii_firmware:2.11.0
-
cpe:2.3:o:siemens:ruggedcom_rox_ii_firmware:2.9.0