search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Vulnerability Note VU#793496

Original Release Date: 2017-07-27 | Last Revised: 2017-10-18

Overview

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.

Description

CWE-354: Improper Validation of Integrity Check Value

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Impact

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Solution

Install Updates

The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.

Vendor Information

As an implementation vulnerability, CVE IDs are assigned for each known affected codebase:

    • CVE-2017-3224 has been reserved for Quagga and downstream implementations (SUSE, openSUSE, and Red Hat packages).
    • CVE-2017-3752 describes this vulnerability in affected Lenovo products.
    • CVE-2017-6770 describes this vulnerability in affected Cisco products.

793496
 
Expand all

View all 121 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal 4.9 E:POC/RL:ND/RC:C
Environmental 3.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Adi Sosnovich, Orna Grumberg, and Gabi Nakibly for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2017-3224, CVE-2017-3752, CVE-2017-6770
Date Public: 2017-07-27
Date First Published: 2017-07-27
Date Last Updated: 2017-10-18 14:19 UTC
Document Revision: 36

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis