Vulnerability Note VU#228186

Hot Standby Router Protocol (HSRP) uses weak authentication

Original Release date: 13 Dec 2001 | Last revised: 18 Dec 2001

Overview

A denial-of-service vulnerability exists in the Hot Standby Router Protocol (HSRP) .

Description

HSRP is a protocol designed to provide transparent recovery of routing services when failures occur. Quoting from RFC2281 (the RFC describing the Hot Standby Router Protocol):

    The Hot Standby Router Protocol, HSRP, provides a mechanism which is designed to support nondisruptive failover of IP traffic in certain circumstances. In particular, the protocol protects against the failure of the first hop router when the source host cannot learn the IP address of the first hop router dynamically. The protocol is designed for use over multi-access, multicast or broadcast capable LANs (e.g., Ethernet). HSRP is not intended as a replacement for existing dynamic router discovery mechanisms and those protocols should be used instead whenever possible . A large class of legacy host implementations that do not support dynamic discovery are capable of configuring a default router. HSRP provides failover services to those hosts.

The following diagram depicts the topology of an IP network with two routers configured to use HSRP.


    Our thanks to Cisco for permission to use this diagram.
      HSRP-enabled routers operate by exchanging multicast messages amongst themselves that advertise their priority levels. By exchanging these messages, the participating routers determine which one of them is the default active router. The default priority level is typically 100, so if one of the participating routers is configured to have a priority of 101, that router will be the default active router. All HSRP-participating routers send a "hello" message using multicast every three seconds. If the default active router fails to send a "hello" message, the standby router with the next-highest priority will assume the role of being the active router. Because of this design flaw, it is possible for an attacker located on the same network segment as the routers participating in HSRP to disrupt network traffic. The vulnerability is best summarized in RFC2281:
        This protocol does not provide security. The authentication field found within the message is useful for preventing misconfiguration. The protocol is easily subverted by an active intruder on the LAN. This can result in a packet black hole and a denial-of-service attack. It is difficult to subvert the protocol from outside the LAN as most routers will not forward packets addressed to the all-routers multicast address (224.0.0.2).

      Impact

      An attacker located on the same LAN segment as the routers using HSRP can disrupt legitimate network traffic resulting in a denial-of-service attack against the network infrastructure for which the participating routers are responsible for.

      Solution

      The CERT/CC is currently unaware of a practical solution to this problem.

      Workaround

      Use HSRP in combination with IPsec as described in Advanced IPSec Deployment Scenarios.

      Systems Affected (Learn More)

      VendorStatusDate NotifiedDate Updated
      CiscoAffected-13 Dec 2001
      If you are a vendor and your product is affected, let us know.

      CVSS Metrics (Learn More)

      Group Score Vector
      Base N/A N/A
      Temporal N/A N/A
      Environmental N/A N/A

      References

      Credit

      The CERT/CC thanks Cisco Systems for their help in understanding this vulnerability.

      This document was written by Ian A. Finlay.

      Other Information

      • CVE IDs: CAN-2001-0741
      • Date Public: 01 Mar 98
      • Date First Published: 13 Dec 2001
      • Date Last Updated: 18 Dec 2001
      • Severity Metric: 6.33
      • Document Revision: 85

      Feedback

      If you have feedback, comments, or additional information about this vulnerability, please send us email.