Bug 1472873 (CVE-2017-3224) - CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (VU#793496)
Summary: CVE-2017-3224 quagga: OSPF implementation improperly determines LSA recency (...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-3224
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1476075
Blocks: 1472881
TreeView+ depends on / blocked
 
Reported: 2017-07-19 15:00 UTC by Adam Mariš
Modified: 2019-09-29 14:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in several OSPF implementations, including Quagga. A malicious OSPF peer, or an attacker able to spoof messages from an OSPF peer, could send a crafted message that would result in erasure or alteration of the routing table, resulting in denial of service or incorrect routing of traffic.
Clone Of:
Environment:
Last Closed: 2017-08-08 01:26:44 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-07-19 15:00:11 UTC
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same, it is possible with vulnerable OSPF implementations for an attacker to craft a LSA with invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Comment 1 Adam Mariš 2017-07-19 15:00:15 UTC
Acknowledgments:

Name: CERT
Upstream: Adi Sosnovich, Orna Grumberg, Gabi Nakibly

Comment 6 Doran Moppert 2017-07-28 01:36:26 UTC
CERT advisory:

http://www.kb.cert.org/vuls/id/793496

Comment 7 Doran Moppert 2017-07-28 01:36:49 UTC
Created quagga tracking bugs for this issue:

Affects: fedora-all [bug 1476075]

Comment 9 Doran Moppert 2019-04-15 02:52:07 UTC
Statement:

For an attacker to exploit this vulnerability, they would either need to control an OSPF peer or spoof a message into the routing domain that appears to come from an OSPF peer. The OSPF trust model is not considered robust against malicious or compromised peers influencing the routing table. Message spoofing is effectively prevented by requiring authentication.

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 11 Doran Moppert 2019-04-15 02:52:11 UTC
Mitigation:

It is strongly recommended to configure Quagga to require authentication from OSPF peers (eg `ip ospf authentication message-digest `).  Message digest authentication effectively prevents even a man-in-the-middle attacker from exploiting this vulnerability or otherwise interfering with the routing table, as any message without a proper cryptographic signature will be rejected.


Note You need to log in before you can comment on or make changes to this bug.