Comments on CVE-2021-26928?
Maria Matejka
maria.matejka at nic.cz
Fri Mar 10 00:40:00 CET 2023
Errata:
s/Tigera/CyberArk Labs/g
I misread the sources. Thanks to Santiago for correcting me.
Maria
On 3/10/23 00:09, Maria Matejka via Bird-users wrote:
> Hello!
>
> In fact, I think that Tigera should have never submitted this CVE as it
> makes not sense at all. Adding the fact that nobody from Tigera has ever
> reached to us regarding this CVE, this simply isn't a legit CVE.
>
> I'll submit a request to reject this CVE. Thank you for pointing to it.
>
> Maria
>
> On 3/9/23 09:02, Radu CARPA wrote:
>> Hi,
>>
>> I allow myself to jump on this discussion.
>> That CVE report is about attacking a kubernetes cluster running Calico
>> (see the link in the `References to Advisories, Solutions, and Tools`
>> section in the NIST CVE). By default, calico doesn't require password
>> authentication for BGP connections. However, that can be enabled using
>> the `nodeMeshPassword` on the `BGPConfiguration` resource. It can also
>> be enabled on peers outside the cluster using the `password` field of
>> the `BGPPeer` custom resource. I'm not sure if it's possible to enable
>> it globally for the listening socket though. Moreover, Calico uses a
>> self-patched, old, version of Bird. I believe 1.6.8.
>>
>> I "think" that CVE was miss-labeled and shouldn't refer to bird as the
>> source of the problem.
>> I personally use Password authentication with bird without issues.
>>
>> Regard,
>> Radu
>>
>> On 3/9/23 08:15, Ondrej Filip wrote:
>>> On 09. 03. 23 5:14, William wrote:
>>>> On 09/03/2023 13:41, Robert Scheck wrote:
>>>>> Hello,
>>>
>>> Hi!
>>>
>>>>>
>>>>> with https://bugzilla.redhat.com/show_bug.cgi?id=2176483, Red Hat
>>>>> pointed
>>>>> me today to CVE-2021-26928.
>>>>> https://nvd.nist.gov/vuln/detail/CVE-2021-26928
>>>>> contains a reference to BIRD 2.0.7, but no link related to BIRD
>>>>> upstream.
>>>>>
>>>>> Do you see any chance for some comments on it (at least here)? Not
>>>>> sure if
>>>>> MITRE adds it then as references at CVE-2021-26928.
>>>>
>>>> I have a PDF of the Bird help documentation that I saved in 2019
>>>> (Fossies) that lists password authentication mechanisms as per
>>>> RFC2385 with extra options for BSD systems. I'll defer to the Dev
>>>> team on this for the final word, but someone has some crossed wires
>>>> here.
>>>
>>> Yes, this functionality was added in 1.0.12 (12 Nov 2008). So I do
>>> not understand this CVE.
>>>
>>> Ondrej
>>>
>>>>
>>>>>
>>>>> Thank you.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Robert
>>>>
>>>> Regards,
>>>> William
>>>
>>
More information about the Bird-users
mailing list