CVE-2017-5495

Name of the Vulnerable Software and Affected Versions Quagga versions 0.93 through 1.1.0

Description The issue is related to an unbounded memory allocation in the telnet 'vty' CLI, which can lead to a Denial-of-Service of Quagga daemons or the entire host. This can be triggered by anyone who can connect to the TCP ports when the Quagga daemons are configured with their telnet CLI enabled, prior to authentication. Most distributions restrict the Quagga telnet interface to local access only by default. The Quagga telnet interface 'vty' input buffer grows automatically without bound as long as a newline is not entered, allowing an attacker to cause the Quagga daemon to allocate unbounded memory by sending very long strings without a newline.

Recommendations For Quagga versions 0.93 through 1.1.0, update to Quagga 1.1.1 or later to resolve the issue. As a temporary workaround, consider disabling the telnet CLI until a patch is available. Restrict access to the telnet interface to minimize the risk of exploitation.