-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2013-0063 Title: OSPF LSA Manipulation Vulnerability in Multiple Cisco Products Version history: 02.08.2013 Initial publication Summary ======= Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. CVSS Base Score - 5.8 CVSS Temporal Score - 4.8 Affected Products and Versions: ============================== The following products running a vulnerable version of code are affected by this vulnerability: Cisco IOS Software Cisco devices that are running Cisco IOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. Note: This vulnerability can only be triggered by targeting the OSPF multicast address or directly targeting interfaces that are OSPF enabled. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco IOS-XE Software Cisco devices that are running Cisco IOS XE Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of Cisco IOS-XE Software that is running on a Cisco device can be determined using the show version command from the Command Line Interface (CLI). Cisco Adaptive Security Appliance (ASA), Cisco ASA Service Module (ASA-SM) and Cisco Pix Firewall Cisco devices that are running Cisco ASA or Cisco PIX Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of software that is running on a Cisco ASA, Cisco ASA-SM or Cisco Pix security appliances can be determined using the show version command from the CLI. Cisco Firewall Services Module (FWSM) Cisco devices that are running Cisco FWSM Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of software that is running on a Cisco FWSM can be determined using the show version command from the CLI. Cisco NX-OS Software Cisco devices that are running Cisco NX-OS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of Cisco NX-OS Software that is running on Cisco Nexus 3000, 5000, 6000 and 7000 series devices can be determined using the show version command from the CLI. Exploiting the vulnerability on a Cisco Nexus device will not affect the local routing table of Cisco Nexus. However, the Cisco Nexus devices will install and propagate the crafted LSA to other devices in the OSPF area. Such crafted LSA propagated to other routers that are part of the same OSPF AS may affect the routing tables across the OSPF AS. Note: Cisco Nexus 1000v Series is not affected by this vulnerability. Cisco ASR 5000 Cisco devices that are running Cisco StarOS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. The version of software that is running on a Cisco ASR 5000 can be determined using the show version command from the CLI. Original details: ================ OSPF is a routing protocol defined by RFC 2328. It is designed to manage IP routing inside an AS. OSPF packets use IP protocol number 89. Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic. The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Network devices running the OSPF protocol may be impacted by this vulnerability if they receive a crafted LSA type 1 packet. This packet does not have to be acknowledged, and it can originate from a spoofed IP address. In order to exploit this vulnerability, an attacker needs to determine a number of factors, such as the network placement and IP address of the target router, LSA DB sequence numbers, and the router ID of the OSPF Designated Router (DR). An attacker needs to know all of the factors in order to exploit this vulnerability. Since OSPF processes unicast packets as well as multicast packets, this vulnerability can be exploited remotely and can be used to target multiple systems on the local segment simultaneously. Using OSPF authentication as described in the Workarounds section can mitigate the effects of this vulnerability. Using OSPF authentication is a highly recommended security best practice, regardless of the presence of this vulnerability. Refer to http://www.cisco.com/en/US/docs/ios/iproute_ospf/configuration/guide/iro_cfg.html#wp1054174 for more information about Configuring OSPF. Once processed, a crafted LSA type 1 packet may cause a directly targeted router to flush the content of its routing table and propagate the crafted LSA update throughout the OSPF area. OSPF member routers of the same area would be affected by processing and installing a crafted LSA type 1 packet propagated by the victim router. This may lead to a number of consequences, such as the injection of false routes into the OSPF routing table, the blackholing of traffic, or redirecting of traffic to a destination that is controlled by an attacker. In order to recover affected systems, administrators can delete the OSPF configuration from the affected device and enable it again. Alternatively, a reload is required to recover affected systems. Clearing the OSPF process or routing table by means of commands such as clear ip ospf process or clear ip route does not have any effect and can not be used to recover affected systems. Note: All unfixed versions of Cisco IOS Software, Cisco IOS XE Software, Cisco ASA Software, Cisco PIX Software and Cisco FWSM Software are affected by this vulnerability. A targeted device running affected software will flush the contents of its routing table and propagate the crafted LSA packet throughout the OSPF area. What can you do? ================ Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available [1][2]. What to tell your users? ======================== N/A More information ================ [1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJR+39HAAoJEPpzpNLI8SVoO50QAKzpPq05t+R+fGf/9j7nhUMM A/x7xwaSMASkkRlxAYc7VrRvXO2jw2YrP4Mbk2C6zId+YsFUyNl3+nEu7ZmrTnjd ee/lwBqmAI4vQJ9VL0ATOHO6ZYOKkbCQSmysYDhCloeFenxfI8OXlLFtlPzZKLw1 0E3LWLmzVvrDiRurLp+En9l3d9TTk5rdor+8WD+BxJ5R+NQAmfA5kGTkzXe7rn8b UaF+YC4YtJ2wwpeR7t4FE80eDZhn5ykxTrUa/UHB/ITMQCjCxLQxTvcYpq5epsiM HhTW6iVstdXoNQ3VKVbRMXhCOL4BhGxWZZWiuKnjqgGUm0LqiRz1d7zDfSHfq8yB kNpLiPgy5TZOWtUVTHpWd3uPtcoPx313rJ7CokBcD0nFxo/PkHCJgcNGT/9SfEP1 +uVDXf2M14W4w9kcPHGpooup0Wh29pk0UbIUvtpkGau85/XBVvArdoWt/E9Nxdy/ MWBGkWBm6z+4k+En4eO5/67KLMSBX5ZLv6WN7XYgljio5L2hp1lGHc0EOqr5c3ep +OZIBuGMXJ2XnmeX1eea+PTDA2/k9k7TrHaSoQSj3eN0JIL7Xum2dAypH+X7Xt3N m5tn5opKaBfVhb6krK/FlKaN3ab73dVnpsjj4nmAWcPlJBwLp4g/XbwtfI33VwJx 3eaKhNibs0jwyaFFrBpE =YjZU -----END PGP SIGNATURE-----