Friday, August 2, 2013

OSPF LSA Manipulation Vulnerability – 8/1/2013

Vulnerability Details

OSPF LSA Manipulation Vulnerability in Multiple Cisco Products

· Summary

Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.
The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.
To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.
OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability.

· Affected Products

Cisco devices that are running Cisco IOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.

Cisco devices that are running Cisco IOS XE Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.

The version of Cisco IOS-XE Software that is running on a Cisco device can be determined using the show version command from the Command Line Interface (CLI).

· Workarounds

The use of OSPF authentication is a valid workaround. OSPF packets without a valid key will not be processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text authentication. With plain text authentication, the authentication key will be sent unencrypted over the network, which can allow an attacker on a local network segment to capture the key by sniffing packets.
Refer to http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml for more information about OSPF authentication.
Additionally, an OSPF Time To Live (TTL) security check can be applied as a partial workaround.
Note: This workaround is valid to protect against remotely triggered attacks and does not protect against attackers that are layer 2-adjacent to vulnerable devices.
For more information about general Interior Gateway Protocol (IGP) hardening, refer tohttp://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094069.shtml.

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link:http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=29974

No comments:

Post a Comment