Comments on CVE-2021-26928?
Radu CARPA
radu.carpa at cern.ch
Thu Mar 9 09:02:28 CET 2023
Hi,
I allow myself to jump on this discussion.
That CVE report is about attacking a kubernetes cluster running Calico
(see the link in the `References to Advisories, Solutions, and Tools`
section in the NIST CVE). By default, calico doesn't require password
authentication for BGP connections. However, that can be enabled using
the `nodeMeshPassword` on the `BGPConfiguration` resource. It can also
be enabled on peers outside the cluster using the `password` field of
the `BGPPeer` custom resource. I'm not sure if it's possible to enable
it globally for the listening socket though. Moreover, Calico uses a
self-patched, old, version of Bird. I believe 1.6.8.
I "think" that CVE was miss-labeled and shouldn't refer to bird as the
source of the problem.
I personally use Password authentication with bird without issues.
Regard,
Radu
On 3/9/23 08:15, Ondrej Filip wrote:
> On 09. 03. 23 5:14, William wrote:
>> On 09/03/2023 13:41, Robert Scheck wrote:
>>> Hello,
>
> Hi!
>
>>>
>>> with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat
>>> pointed
>>> me today to CVE-2021-26928.
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-26928
>>> contains a reference to BIRD 2.0.7, but no link related to BIRD
>>> upstream.
>>>
>>> Do you see any chance for some comments on it (at least here)? Not
>>> sure if
>>> MITRE adds it then as references at CVE-2021-26928.
>>
>> I have a PDF of the Bird help documentation that I saved in 2019
>> (Fossies) that lists password authentication mechanisms as per
>> RFC2385 with extra options for BSD systems. I'll defer to the Dev
>> team on this for the final word, but someone has some crossed wires
>> here.
>
> Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do not
> understand this CVE.
>
> Ondrej
>
>>
>>>
>>> Thank you.
>>>
>>>
>>> Regards,
>>> Robert
>>
>> Regards,
>> William
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20230309/9417c119/attachment.htm>
More information about the Bird-users
mailing list