Quagga routing suite vulnerable to DoS
Its developers report that the BGP service of the Quagga open source routing package for IPv4 and IPv6 can be crashed using crafted OPEN messages and COMMUNITY attributes. However, such messages must originate from configured peers, so the likelihood of a successful attack is categorised as very low, particularly as BGP update debugging must also be enabled. According to the report, versions prior to 0.99.9 are affected - the bug is fixed in version 0.99.9. The changelog for the new version also lists other, non-security related, bug fixes.
A fork of the GNU Zebra routing suite developed by Kunihiro Ishiguro, Quagga supports OSPFv2, OSPFv3, RIP v1 and v2, plus RIPng and BGP-4 under Unix, FreeBSD, Linux, Solaris and NetBSD. Quagga allows a router to be set up using cheap hardware, but offers less functionality than Cisco or Juniper routers.
- bgpd: Low impact DoS (Mu Security), report at Quagga.net