Bug 1472873 (CVE-2017-3224)
Summary: | CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (VU#793496) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | balajig81, mruprich, msekleta, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability was discovered in several OSPF implementations, including Quagga. A malicious OSPF peer, or an attacker able to spoof messages from an OSPF peer, could send a crafted message that would result in erasure or alteration of the routing table, resulting in denial of service or incorrect routing of traffic.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-08 01:26:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1476075 | ||
Bug Blocks: | 1472881 |
Description
Adam Mariš
2017-07-19 15:00:11 UTC
Acknowledgments: Name: CERT Upstream: Adi Sosnovich, Orna Grumberg, Gabi Nakibly CERT advisory: http://www.kb.cert.org/vuls/id/793496 Created quagga tracking bugs for this issue: Affects: fedora-all [bug 1476075] Statement: For an attacker to exploit this vulnerability, they would either need to control an OSPF peer or spoof a message into the routing domain that appears to come from an OSPF peer. The OSPF trust model is not considered robust against malicious or compromised peers influencing the routing table. Message spoofing is effectively prevented by requiring authentication. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. External References: https://www.kb.cert.org/vuls/id/793496 https://www.quagga.net/docs/quagga.html#ip-ospf-authentication-message_002ddigest Mitigation: It is strongly recommended to configure Quagga to require authentication from OSPF peers (eg `ip ospf authentication message-digest `). Message digest authentication effectively prevents even a man-in-the-middle attacker from exploiting this vulnerability or otherwise interfering with the routing table, as any message without a proper cryptographic signature will be rejected. |