Vulnerability Note VU#793496
Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.
CWE-354: Improper Validation of Integrity Check Value
Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.
Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.
Vendor Information (Learn More)
As an implementation vulnerability, CVE IDs are assigned for each known affected codebase:
|Vendor||Status||Date Notified||Date Updated|
|Cisco||Affected||12 May 2017||08 Aug 2017|
|Lenovo||Affected||12 May 2017||17 Jul 2017|
|openSUSE project||Affected||12 May 2017||25 Jul 2017|
|Quagga||Affected||17 Jul 2017||26 Jul 2017|
|Red Hat, Inc.||Affected||12 May 2017||25 Jul 2017|
|SUSE Linux||Affected||12 May 2017||25 Jul 2017|
|Apple||Not Affected||12 May 2017||05 Jun 2017|
|Arista Networks, Inc.||Not Affected||12 May 2017||17 Jul 2017|
|CoreOS||Not Affected||12 May 2017||12 May 2017|
|D-Link Systems, Inc.||Not Affected||12 May 2017||17 Aug 2017|
|FreeBSD Project||Not Affected||12 May 2017||18 Jul 2017|
|HTC||Not Affected||12 May 2017||23 May 2017|
|Huawei Technologies||Not Affected||12 May 2017||26 Jul 2017|
|Intel Corporation||Not Affected||12 May 2017||17 Jul 2017|
|Juniper Networks||Not Affected||12 May 2017||17 Jul 2017|
CVSS Metrics (Learn More)
Thanks to Adi Sosnovich, Orna Grumberg, and Gabi Nakibly for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2017-3224 CVE-2017-3752 CVE-2017-6770
- Date Public: 27 Jul 2017
- Date First Published: 27 Jul 2017
- Date Last Updated: 18 Oct 2017
- Document Revision: 35
If you have feedback, comments, or additional information about this vulnerability, please send us email.