bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.04638.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Quagga
  • Quagga
Redhat
  • Enterprise Linux

Configuration 1 [-]

OR cpe:2.3:a:quagga:quagga:*:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.95:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.96:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.96.1:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.96.2:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.96.3:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.96.4:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.96.5:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.97.0:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.97.1:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.97.2:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.97.3:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.97.4:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.97.5:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.0:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.1:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.2:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.3:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.4:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.5:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.98.6:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.1:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.2:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.3:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.4:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.5:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.6:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.7:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.8:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.9:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.10:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.11:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.12:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.13:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.14:*:*:*:*:*:*:*
cpe:2.3:a:quagga:quagga:0.99.15:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 6
quagga-0:0.99.15-5.el6_0.1 cpe:/o:redhat:enterprise_linux:6 RHSA-2010:0945 2010-12-06T00:00:00Z

No data.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-2104-1 New quagga packages fix denial of service
EUVD EUVD EUVD-2010-2953 bgpd in Quagga before 0.99.17 does not properly parse AS paths, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unknown AS type in an AS path attribute in a BGP UPDATE message.
Ubuntu USN Ubuntu USN USN-1027-1 Quagga vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://code.quagga.net/?p=quagga.git%3Ba=commit%3Bh=cddb8112b80fa9867156c637d63e6e79eeac67bb cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00009.html cve-icon cve-icon
http://secunia.com/advisories/41038 cve-icon cve-icon
http://secunia.com/advisories/41238 cve-icon cve-icon
http://secunia.com/advisories/42397 cve-icon cve-icon
http://secunia.com/advisories/42446 cve-icon cve-icon
http://secunia.com/advisories/42498 cve-icon cve-icon
http://secunia.com/advisories/48106 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-201202-02.xml cve-icon cve-icon
http://www.debian.org/security/2010/dsa-2104 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2010:174 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2010/08/24/3 cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2010/08/25/4 cve-icon cve-icon
http://www.quagga.net/news2.php?y=2010&m=8&d=19 cve-icon cve-icon
http://www.redhat.com/support/errata/RHSA-2010-0945.html cve-icon cve-icon
http://www.securityfocus.com/bid/42642 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1027-1 cve-icon cve-icon
http://www.vupen.com/english/advisories/2010/2304 cve-icon cve-icon
http://www.vupen.com/english/advisories/2010/3097 cve-icon cve-icon
http://www.vupen.com/english/advisories/2010/3124 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=626795 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2010-2949 cve-icon
https://www.cve.org/CVERecord?id=CVE-2010-2949 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-07T02:55:45.507Z

Reserved: 2010-08-04T00:00:00

Link: CVE-2010-2949

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2010-09-10T19:00:02.597

Modified: 2025-04-11T00:51:21.963

Link: CVE-2010-2949

cve-icon Redhat

Severity : Low

Publid Date: 2010-08-19T00:00:00Z

Links: CVE-2010-2949 - Bugzilla

cve-icon OpenCVE Enrichment

No data.