Comments on CVE-2021-26928?

Maria Matejka maria.matejka at nic.cz
Fri Mar 10 00:40:00 CET 2023 

Errata:

s/Tigera/CyberArk Labs/g

I misread the sources. Thanks to Santiago for correcting me.

Maria

On 3/10/23 00:09, Maria Matejka via Bird-users wrote:
> Hello!
> 
> In fact, I think that Tigera should have never submitted this CVE as it 
> makes not sense at all. Adding the fact that nobody from Tigera has ever 
> reached to us regarding this CVE, this simply isn't a legit CVE.
> 
> I'll submit a request to reject this CVE. Thank you for pointing to it.
> 
> Maria
> 
> On 3/9/23 09:02, Radu CARPA wrote:
>> Hi,
>>
>> I allow myself to jump on this discussion.
>> That CVE report is about attacking a kubernetes cluster running Calico 
>> (see the link in the `References to Advisories, Solutions, and Tools` 
>> section in the NIST CVE). By default, calico doesn't require password 
>> authentication for BGP connections. However, that can be enabled using 
>> the `nodeMeshPassword` on the `BGPConfiguration` resource. It can also 
>> be enabled on peers outside the cluster using the `password` field of 
>> the `BGPPeer` custom resource. I'm not sure if it's possible to enable 
>> it globally for the listening socket though. Moreover, Calico uses a 
>> self-patched, old, version of Bird. I believe 1.6.8.
>>
>> I "think" that CVE was miss-labeled and shouldn't refer to bird as the 
>> source of the problem.
>> I personally use Password authentication with bird without issues.
>>
>> Regard,
>> Radu
>>
>> On 3/9/23 08:15, Ondrej Filip wrote:
>>> On 09. 03. 23 5:14, William wrote:
>>>> On 09/03/2023 13:41, Robert Scheck wrote:
>>>>> Hello,
>>>
>>> Hi!
>>>
>>>>>
>>>>> with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat 
>>>>> pointed
>>>>> me today to CVE-2021-26928. 
>>>>> https://nvd.nist.gov/vuln/detail/CVE-2021-26928
>>>>> contains a reference to BIRD 2.0.7, but no link related to BIRD 
>>>>> upstream.
>>>>>
>>>>> Do you see any chance for some comments on it (at least here)? Not 
>>>>> sure if
>>>>> MITRE adds it then as references at CVE-2021-26928.
>>>>
>>>> I have a PDF of the Bird help documentation that I saved in 2019 
>>>> (Fossies) that lists password authentication mechanisms as per 
>>>> RFC2385 with extra options for BSD systems.  I'll defer to the Dev 
>>>> team on this for the final word, but someone has some crossed wires 
>>>> here.
>>>
>>> Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do 
>>> not understand this CVE.
>>>
>>>     Ondrej
>>>
>>>>
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>> Regards,
>>>>>   Robert
>>>>
>>>> Regards,
>>>> William
>>>
>>

More information about the Bird-users mailing list