8.2 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:P/A:P
0.004 Low
EPSS
Percentile
71.5%
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber
. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.
CWE-354: Improper Validation of Integrity Check Value
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber
. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge
. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber
, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber
and invalid links that will result in a larger checksum and thus a ‘newer’ LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.
Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.
Install Updates
The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.
As an implementation vulnerability, CVE IDs are assigned for each known affected codebase:
* CVE-2017-3224 has been reserved for Quagga and downstream implementations (SUSE, openSUSE, and Red Hat packages).
* CVE-2017-3752 describes this vulnerability in affected Lenovo products.
* CVE-2017-6770 describes this vulnerability in affected Cisco products.
793496
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: May 12, 2017 Updated: August 08, 2017
Statement Date: July 26, 2017
Affected
We have not received a statement from the vendor.
CVE-2017-6770 describes this vulnerability in affected Cisco products.
Notified: May 12, 2017 Updated: July 17, 2017
Statement Date: July 17, 2017
Affected
We have not received a statement from the vendor.
CVE-2017-3752 describes this vulnerability in affected Lenovo products.
Notified: July 17, 2017 Updated: July 26, 2017
Statement Date: July 25, 2017
Affected
We have not received a statement from the vendor.
CVE-2017-3224 has been assigned for Quagga’s affected ospfd
implementation.
Notified: May 12, 2017 Updated: July 25, 2017
Statement Date: May 15, 2017
Affected
We have not received a statement from the vendor.
CVE-2017-3224, reserved for Quagga, also applies to derivative affected Red Hat packages.
Notified: May 12, 2017 Updated: July 25, 2017
Statement Date: May 16, 2017
Affected
SUSE and openSUSE package quagga and are affected by the issue
CVE-2017-3224, reserved for Quagga, also applies to the affected SUSE and openSUSE packages.
Notified: May 12, 2017 Updated: July 25, 2017
Statement Date: May 16, 2017
Affected
SUSE and openSUSE package quagga and are affected by the issue
CVE-2017-3224, reserved for Quagga, also applies to the affected SUSE and openSUSE packages.
Notified: May 12, 2017 Updated: June 05, 2017
Statement Date: June 02, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: July 17, 2017
Statement Date: July 17, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: May 12, 2017
Statement Date: May 12, 2017
Not Affected
CoreOS’s products are not vulnerable to this exploit.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: August 17, 2017
Statement Date: August 16, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: July 18, 2017
Statement Date: May 13, 2017
Not Affected
The FreeBSD base system do not ship with an OSPF, therefore we consider our product as “Not affected”.
We do ship several third party OSPF routing implementations as add-on software (packages) and will keep an eye on these.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: May 23, 2017
Statement Date: May 18, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: July 26, 2017
Statement Date: July 26, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: July 17, 2017
Statement Date: July 17, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: July 17, 2017
Statement Date: July 17, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: September 27, 2017
Statement Date: September 27, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: July 19, 2017
Statement Date: July 18, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: October 18, 2017
Statement Date: October 18, 2017
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: July 17, 2017 Updated: July 17, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
Notified: August 28, 2017 Updated: August 28, 2017
Unknown
We have not received a statement from the vendor.
Notified: May 12, 2017 Updated: May 12, 2017
Unknown
We have not received a statement from the vendor.
View all 121 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 5.4 | AV:A/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 4.9 | E:POC/RL:ND/RC:C |
Environmental | 3.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Adi Sosnovich, Orna Grumberg, and Gabi Nakibly for reporting this vulnerability.
This document was written by Joel Land.
CVE IDs: | CVE-2017-3224, CVE-2017-3752, CVE-2017-6770 |
---|---|
Date Public: | 2017-07-27 Date First Published: |
8.2 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:P/A:P
0.004 Low
EPSS
Percentile
71.5%