search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers

Vulnerability Note VU#229804

Original Release Date: 2013-08-02 | Last Revised: 2013-12-06

Overview

The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack.

Description

CWE-694: Use of Multiple Resources with a Duplicate Identifier

The OSPF protocol requires LSA's to be identified by: LS Type, Advertising Router, and Link State ID. However, during the routing table calculation phase, the specification states that a LSA is queried in the LSA database
using only the Link State ID. Since the Link State ID is used in the LSA database to identify a particular router, a malformed duplicate entry can cause unexpected and insecure implementation-specific behavior.

In some implementations, the vulnerability can allow an attacker to subvert the routing table of victim router by sending false link state advertisements on behalf of other routers. This subversion can cause the victim router
to drop the entire table (denial of service) or to re-route traffic on the network.

Impact

This vulnerability can allow an attacker to re-route traffic, compromising the confidentiality of the data, or to conduct a denial-of-service attack against a router, dropping all traffic.

Solution

Install Updates
The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The list below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.

Vendor Information

229804
 

View all 97 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal 4.2 E:POC/RL:OF/RC:C
Environmental 5.1 CDP:MH/TD:M/CR:ND/IR:ND/AR:H

References

Acknowledgements

Thanks to Dr. Gabi Nakibly for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2013-0149
Date Public: 2013-08-01
Date First Published: 2013-08-02
Date Last Updated: 2013-12-06 18:59 UTC
Document Revision: 58

Sponsored by CISA.