Juniper Networks, Inc. Information for VU#229804

Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers

Status

Affected

Vendor Statement

LEGACY ADVISORY ID:

    PSN-2013-08-987

    PRODUCT AFFECTED:
    All Juniper Networks platforms running Junos Operating System software, JunosE Operating System software, and ScreenOS software

    PROBLEM:
    A vulnerability has been discovered in the OSPF (Open Shortest Path First) protocol that allows a remote attacker to insert, update, or delete routes in the OSPF database. Juniper has worked to provide fixes for all supported code that is vulnerable to this issue.

    The issue lies in the OSPF protocol (RFC 2328: http://www.rfc-editor.org/rfc/rfc2328.txt). OSPF does not specify that the 'Link State ID' and 'Advertising Router' fields need to match when a router receives an OSPF link-state advertisement (LSA). This limitation of the protocol specification would allow for an attacker to inject false routes into the OSPF database. This issue doesn't exist if the OSPF configuration of a router is set to use MD5 Authentication, or if a filter is used to block external parties from sending OSPF link-state update (LSU) packets. This issue also does not apply to passive OSPF interfaces or interfaces that are not configured for OSPF.

    This issue was discovered by an external security researcher.

    No other Juniper Networks products or platforms are affected by this issue.

    This issue has been assigned CVE-2013-0149.

    SOLUTION:
    Releases containing (or will contain) the fix specifically include: 13.1R3, 13.2X50-D10, 12.3R3, 12.2R5, 12.1R7, 12.1X45-D10, 12.1X44-D15, 11.4R8, 10.4R15, and all subsequent releases. In addition, all Junos OS software releases built on or after 2013-07-25 will also have fixed this specific issue.

    Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.

    All JunosE software releases built on or after 2013-07-25 have fixed this specific issue. Please contact JTAC to request a patch or hotfix for fixes on all other supported releases of code.

    Software updates to ScreenOS have been released to resolve this issue. Releases containing the fix include ScreenOS 5.4.0r28a, 6.2.0r17a, and 6.3.0r14a.

    This issue is being tracked as PR 878639 (Junos), CQ95773 (JunosE), and PR 895456 (ScreenOS).

    KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

    WORKAROUND:
    Juniper recommends that customers use MD5 authentication when configuring OSPF. MD5 authentication completely mitigates this issue as the router will not accept an LSA without the correct MD5 auth value.

    It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters on physical interfaces (not loopback) to limit access to the router via OSPF unless necessary.

    Customers can request a hotfix for this issue on JunosE may do so by contacting JTAC.
    IMPLEMENTATION:

    RELATED LINKS:
    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process
    KB16765: In which releases are vulnerabilities fixed?
    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.
    Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team
    CVE-2013-0149

    CVSS SCORE:
    7.8 (AV:N/AC:M/Au:N/C:N/I:P/A:C)

    RISK LEVEL:
    High

    RISK ASSESSMENT:
    This issue could allow an remote attacker the ability to modify an OSPF database. For the issue to take place the attacker would need to have unfiltered access to an OSPF interface that is not using MD5 authentication. The attacker would be able to add routes, overwrite routes, and also clear the OSPF database. This attack could potentially allow an attacker to cause a denial of service or reroute traffic.

    ACKNOWLEDGEMENTS:
    Juniper SIRT would like to acknowledge and thank Gabi Nakibly for responsibly reporting this vulnerability to CERT/CC who coordinated the multi-vendor response.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10582&cat=SIRT_1&actp=
    LIST

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.