As you can read at
https://mailman.nanog.org/pipermail/nanog/2019-January/098761.html
There is a serious issue in frr. Please Update to current version.
If I had read the irc log's right one user reported it.
As you can read at
https://mailman.nanog.org/pipermail/nanog/2019-January/098761.html
There is a serious issue in frr. Please Update to current version.
If I had read the irc log's right one user reported it.
We plan to resume the experiments January 16th (next Wednesday), and have updated the experiment schedule [A] accordingly. As always, we welcome your feedback.
Hopefully EPA3 with a fixed FRR will be out by then...
The FRR devs have released binary packages including the fix and announced it on the FRR mailing lists. After considering the feedback on the list and discussing with FRR devs, we will postpone the experiments until Jan. 23rd, and have updated the schedule to reflect the delayed start and shorter timeline [A]. We will follow up with FRR devs and mailing lists/users.
VyOS is not affected by this issue
https://vulmon.com/vulnerabilitydetails?qid=CVE-2019-5892
as it requires FRR build with certain options which we not use
it can be some other issue though
will appreciate if it's possible to get procedure how to reproduce and we happy to work with frr devs to address that
@syncer thats not true:
vyos@fw-1:~$ /usr/lib/frr/bgpd -v
bgpd version 6.1-dev
Copyright 1996-2005 Kunihiro Ishiguro, et al.
configured with:
'--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libexecdir=${prefix}/lib/frr' '--disable-maintainer-mode' '--enable-exampledir=/usr/share/doc/frr/examples/' '--localstatedir=/var/run/frr' '--sbindir=/usr/lib/frr' '--sysconfdir=/etc/frr' '--enable-snmp' '--enable-ospfapi=yes' '--enable-multipath=256' '--enable-fpm' '--enable-user=frr' '--enable-group=frr' '--enable-vty-group=frrvty' '--enable-configfile-mask=0640' '--enable-logfile-mask=0640' '--disable-werror' '--with-libpam' '--enable-systemd=yes' '--enable-cumulus=no' '--disable-dependency-tracking' '--enable-bgp-vnc=yes' '--enable-rpki' 'build_alias=x86_64-linux-gnu'
vyos@fw-1:~$
This is from epa2 and there is good to see: '--enable-bgp-vnc=yes'
From the CVE:
"FRRouting “FRR” (bgpd) on any platforms if it is configured (during compile time) with --enable-vnc. This includes packages released by the FRR team and FreeBSD Ports"
"Any other version built with VNC disabled. To check if your version and if it has bgp-vnc enabled, use the either the vtysh command show version (if FRR is running) or bgpd --version if FRR is not running and look for “bgp-vnc” in the output (example: --enable-bgp-vnc=yes or similar). If there is no output containing “bgp-vnc”, then vnc is disabled, and that version is not vulnerable."
No need to disable VNC :-) The FRR package should be fixed already so just need to make sure it is in EPA3.
@danhusan Yup, I experienced BGP reset/flapping at the same time. Looking forward to EPA3 :)