Executive Summary

Summary
Title Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency
Informations
Name VU#793496 First vendor Publication 2017-07-27
Vendor VU-CERT Last vendor Modification 2017-10-18
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:N/I:P/A:P)
Cvss Base Score 4.3 Attack Range Adjacent network
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 5.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#793496

Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Original Release date: 27 Jul 2017 | Last revised: 18 Oct 2017

Overview

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.

Description

CWE-354: Improper Validation of Integrity Check Value

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Impact

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Solution

Install Updates

The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.

Vendor Information (Learn More)

As an implementation vulnerability, CVE IDs are assigned for each known affected codebase:

  • CVE-2017-3224 has been reserved for Quagga and downstream implementations (SUSE, openSUSE, and Red Hat packages).
  • CVE-2017-3752 describes this vulnerability in affected Lenovo products.
  • CVE-2017-6770 describes this vulnerability in affected Cisco products.

VendorStatusDate NotifiedDate Updated
CiscoAffected12 May 201708 Aug 2017
LenovoAffected12 May 201717 Jul 2017
openSUSE projectAffected12 May 201725 Jul 2017
QuaggaAffected17 Jul 201726 Jul 2017
Red Hat, Inc.Affected12 May 201725 Jul 2017
SUSE LinuxAffected12 May 201725 Jul 2017
AppleNot Affected12 May 201705 Jun 2017
Arista Networks, Inc.Not Affected12 May 201717 Jul 2017
CoreOSNot Affected12 May 201712 May 2017
D-Link Systems, Inc.Not Affected12 May 201717 Aug 2017
FreeBSD ProjectNot Affected12 May 201718 Jul 2017
HTCNot Affected12 May 201723 May 2017
Huawei TechnologiesNot Affected12 May 201726 Jul 2017
Intel CorporationNot Affected12 May 201717 Jul 2017
Juniper NetworksNot Affected12 May 201717 Jul 2017
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base5.4AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal4.9E:POC/RL:ND/RC:C
Environmental3.6CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://cwe.mitre.org/data/definitions/354.html
  • https://en.wikipedia.org/wiki/Open_Shortest_Path_First
  • https://www.ietf.org/rfc/rfc2328.txt

Credit

Thanks to Adi Sosnovich, Orna Grumberg, and Gabi Nakibly for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2017-3224CVE-2017-3752CVE-2017-6770
  • Date Public:27 Jul 2017
  • Date First Published:27 Jul 2017
  • Date Last Updated:18 Oct 2017
  • Document Revision:35

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/793496

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-20 Improper Input Validation
33 % CWE-345 Insufficient Verification of Data Authenticity

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 2
Application 2
Application 2
Application 3
Application 1
Application 1
Os 347
Os 3091
Os 48
Os 293
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1
Os 1

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
Date Informations
2018-07-24 21:21:46
  • Multiple Updates
2017-10-18 17:19:50
  • Multiple Updates
2017-09-27 17:22:20
  • Multiple Updates
2017-08-31 00:23:15
  • Multiple Updates
2017-08-17 17:21:45
  • Multiple Updates
2017-08-15 21:25:24
  • Multiple Updates
2017-08-09 00:22:34
  • Multiple Updates
2017-07-28 00:21:42
  • First insertion