Vulnerability Description
The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be sent over the network to a peer and/or bgpd may crash.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Quagga | Quagga | <= 1.2.2 |
| Debian | Debian Linux | 8.0 |
| Canonical | Ubuntu Linux | 14.04 |
Related Weaknesses (CWE)
References
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095Third Party Advisory
- http://www.kb.cert.org/vuls/id/940439Third Party AdvisoryUS Government Resource
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.tVendor Advisory
- https://security.gentoo.org/glsa/201804-17Third Party Advisory
- https://usn.ubuntu.com/3573-1/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4115Third Party Advisory
- http://savannah.nongnu.org/forum/forum.php?forum_id=9095Third Party Advisory
- http://www.kb.cert.org/vuls/id/940439Third Party AdvisoryUS Government Resource
- https://gogs.quagga.net/Quagga/quagga/src/master/doc/security/Quagga-2018-0543.tVendor Advisory
- https://security.gentoo.org/glsa/201804-17Third Party Advisory
- https://usn.ubuntu.com/3573-1/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4115Third Party Advisory
FAQ
What is CVE-2018-5378?
CVE-2018-5378 is a vulnerability with a CVSS score of 7.1 (HIGH). The Quagga BGP daemon (bgpd) prior to version 1.2.3 does not properly bounds check the data sent with a NOTIFY to a peer, if an attribute length is invalid. Arbitrary data from the bgpd process may be...
How severe is CVE-2018-5378?
CVE-2018-5378 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-5378?
Check the references section above for vendor advisories and patch information. Affected products include: Quagga Quagga, Debian Debian Linux, Canonical Ubuntu Linux.