Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers

2013-08-01T00:00:00
ID VU:229804
Type cert
Reporter CERT
Modified 2013-12-06T00:00:00

Description

Overview

The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack.

Description

CWE-694: Use of Multiple Resources with a Duplicate Identifier

The OSPF protocol requires LSA's to be identified by: LS Type, Advertising Router, and Link State ID. However, during the routing table calculation phase, the specification states that a LSA is queried in the LSA database
using only the Link State ID. Since the Link State ID is used in the LSA database to identify a particular router, a malformed duplicate entry can cause unexpected and insecure implementation-specific behavior.

In some implementations, the vulnerability can allow an attacker to subvert the routing table of victim router by sending false link state advertisements on behalf of other routers. This subversion can cause the victim router
to drop the entire table (denial of service) or to re-route traffic on the network.


Impact

This vulnerability can allow an attacker to re-route traffic, compromising the confidentiality of the data, or to conduct a denial-of-service attack against a router, dropping all traffic.


Solution

Install Updates
The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The list below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.


Vendor Information

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Brocade| | 13 Jun 2013| 05 Aug 2013
Check Point Software Technologies| | 28 May 2013| 16 Oct 2013
Cisco Systems, Inc.| | 22 May 2013| 05 Aug 2013
D-Link Systems, Inc.| | 28 May 2013| 05 Aug 2013
Enterasys Networks| | 28 May 2013| 19 Aug 2013
Extreme Networks| | 28 May 2013| 30 Jul 2013
IBM Corporation| | 28 May 2013| 05 Aug 2013
Juniper Networks, Inc.| | 10 May 2013| 03 Dec 2013
NEC Corporation| | 28 May 2013| 10 Sep 2013
Oracle Corporation| | 28 May 2013| 16 Oct 2013
Vyatta| | 10 May 2013| 05 Aug 2013
Yamaha Corporation| | 28 May 2013| 05 Aug 2013
ACME Packet| | 28 May 2013| 18 Jul 2013
Buffalo Inc| | 30 May 2013| 12 Sep 2013
eSoft, Inc.| | 28 May 2013| 30 Jul 2013
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 5.4 | AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal | 4.2 | E:POC/RL:OF/RC:C
Environmental | 5.1 | CDP:MH/TD:M/CR:ND/IR:ND/AR:H

References

  • <http://tools.ietf.org/html/rfc2328>
  • <http://en.wikipedia.org/wiki/Open_Shortest_Path_First>

Credit

Thanks to Dr. Gabi Nakibly for reporting this vulnerability.

This document was written by Chris King.

Other Information

  • CVE IDs: CVE-2013-0149
  • Date Public: 01 Aug 2013
  • Date First Published: 01 Aug 2013
  • Date Last Updated: 06 Dec 2013
  • Document Revision: 58