Bug 1472873 – CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (VU#793496)

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1472873 - (CVE-2017-3224) CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (VU#793496)

Summary:	CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (...

Status:	CLOSED WONTFIX

Aliases:	CVE-2017-3224

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170727,repor...
Keywords:	Security

Depends On:	1476075
Blocks:	1472881
	Show dependency tree / graph

Reported:	2017-07-19 11:00 EDT by Adam Mariš
Modified:	2017-08-07 21:26 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was discovered in several OSPF implementations, including Quagga. A malicious OSPF peer, or an attacker able to spoof messages from an OSPF peer, could send a crafted message that would result in erasure or alteration of the routing table, resulting in denial of service or incorrect routing of traffic.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-07 21:26:44 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Adam Mariš 2017-07-19 11:00:11 EDT

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same, it is possible with vulnerable OSPF implementations for an attacker to craft a LSA with invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Comment 1 Adam Mariš 2017-07-19 11:00:15 EDT

Acknowledgments:

Name: CERT
Upstream: Adi Sosnovich, Orna Grumberg, Gabi Nakibly

Comment 5 Doran Moppert 2017-07-25 07:53:08 EDT

Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 6 Doran Moppert 2017-07-27 21:36:26 EDT

CERT advisory:

http://www.kb.cert.org/vuls/id/793496

Comment 7 Doran Moppert 2017-07-27 21:36:49 EDT

Created quagga tracking bugs for this issue:

Affects: fedora-all [bug 1476075]

Comment 8 Adam Mariš 2017-07-28 09:49:06 EDT

External References:

https://www.kb.cert.org/vuls/id/793496

Note You need to log in before you can comment on or make changes to this bug.