Bug 1472873 (CVE-2017-3224)

Summary: CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (VU#793496)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: balajig81, mruprich, msekleta, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in several OSPF implementations, including Quagga. A malicious OSPF peer, or an attacker able to spoof messages from an OSPF peer, could send a crafted message that would result in erasure or alteration of the routing table, resulting in denial of service or incorrect routing of traffic.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-08 01:26:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1476075    
Bug Blocks: 1472881    

Description Adam Mariš 2017-07-19 15:00:11 UTC 
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same, it is possible with vulnerable OSPF implementations for an attacker to craft a LSA with invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.
Comment 1 Adam Mariš 2017-07-19 15:00:15 UTC 
Acknowledgments:

Name: CERT
Upstream: Adi Sosnovich, Orna Grumberg, Gabi Nakibly
Comment 6 Doran Moppert 2017-07-28 01:36:26 UTC 
CERT advisory:

http://www.kb.cert.org/vuls/id/793496
Comment 7 Doran Moppert 2017-07-28 01:36:49 UTC 
Created quagga tracking bugs for this issue:

Affects: fedora-all [bug 1476075]
Comment 9 Doran Moppert 2019-04-15 02:52:07 UTC 
Statement:

For an attacker to exploit this vulnerability, they would either need to control an OSPF peer or spoof a message into the routing domain that appears to come from an OSPF peer. The OSPF trust model is not considered robust against malicious or compromised peers influencing the routing table. Message spoofing is effectively prevented by requiring authentication.

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Doran Moppert 2019-04-15 02:52:09 UTC 
External References:

https://www.kb.cert.org/vuls/id/793496
https://www.quagga.net/docs/quagga.html#ip-ospf-authentication-message_002ddigest
Comment 11 Doran Moppert 2019-04-15 02:52:11 UTC 
Mitigation:

It is strongly recommended to configure Quagga to require authentication from OSPF peers (eg `ip ospf authentication message-digest `).  Message digest authentication effectively prevents even a man-in-the-middle attacker from exploiting this vulnerability or otherwise interfering with the routing table, as any message without a proper cryptographic signature will be rejected.