CVE-2017-16227 in Quagga
Summary
by MITRE
The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 allows remote attackers to cause a denial of service (session drop) via BGP UPDATE messages, because AS_PATH size calculation for long paths counts certain bytes twice and consequently constructs an invalid message.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/05/2023
The vulnerability identified as CVE-2017-16227 affects Quagga routing software versions prior to 1.2.2, specifically within the bgpd component responsible for BGP protocol implementation. This issue resides in the aspath_put function located in bgpd/bgp_aspath.c file, representing a critical flaw in how the software handles AS_PATH attribute processing during BGP UPDATE message handling. The vulnerability manifests when remote attackers send specially crafted BGP UPDATE messages that trigger improper AS_PATH size calculation logic, leading to session disruption and potential network connectivity issues.
The technical flaw stems from incorrect byte counting during AS_PATH size calculation for extended path lengths, where certain bytes are counted twice in the message construction process. This double-counting error results in the generation of invalid BGP messages that violate the protocol specification requirements for AS_PATH attribute formatting. The flaw occurs during the processing of long AS_PATH attributes, where the software fails to properly account for the actual byte representation of the path information, causing the constructed message to exceed valid size limits or contain malformed data structures. This incorrect calculation directly impacts the BGP session integrity and can be exploited by remote attackers without authentication requirements.
The operational impact of this vulnerability extends beyond simple denial of service, as it can cause complete BGP session termination between routing peers, potentially leading to widespread network disruption. When a vulnerable Quagga instance receives a malicious UPDATE message with improperly calculated AS_PATH data, the system processes the malformed message and subsequently drops the BGP session to prevent further corruption. Network operators may experience intermittent connectivity issues, routing instability, and potential blackholing of traffic as routing tables become inconsistent due to the session failures. The vulnerability affects any network infrastructure relying on Quagga for BGP routing operations, particularly impacting internet exchange points, service providers, and enterprise networks dependent on stable routing protocols.
Organizations should prioritize immediate patching of Quagga installations to version 1.2.2 or later, which includes corrected AS_PATH size calculation logic that properly accounts for byte counting during message construction. Network administrators should also implement monitoring solutions to detect unusual BGP UPDATE message patterns and establish automated alerting for potential exploitation attempts. Additional mitigations include implementing BGP message filtering to validate AS_PATH attributes before processing, deploying network segmentation to limit exposure, and maintaining comprehensive network monitoring to quickly identify session disruptions. This vulnerability aligns with CWE-129 and CWE-131 categories related to improper input validation and buffer overflow conditions, while the attack vector maps to ATT&CK technique T1059.007 for remote exploitation of network services and T1499.004 for network disruption through service availability attacks.