search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Open Shortest Path First (OSPF) protocol implementations may improperly determine LSA recency

Vulnerability Note VU#793496

Original Release Date: 2017-07-27 | Last Revised: 2017-10-18

Overview

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency for LSAs with MaxSequenceNumber. Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to poison routing tables within the domain.

Description

CWE-354: Improper Validation of Integrity Check Value

Open Shortest Path First (OSPF) protocol implementations may improperly determine Link State Advertisement (LSA) recency with MaxSequenceNumber. According to RFC 2328 section 13.1, for two instances of the same LSA, recency is determined by first comparing sequence numbers, then checksums, and finally MaxAge. In a case where the sequence numbers are the same, the LSA with the larger checksum is considered more recent, and will not be flushed from the Link State Database (LSDB). Since the RFC does not explicitly state that the values of links carried by a LSA must be the same when prematurely aging a self-originating LSA with MaxSequenceNumber, it is possible in vulnerable OSPF implementations for an attacker to craft a LSA with MaxSequenceNumber and invalid links that will result in a larger checksum and thus a 'newer' LSA that will not be flushed from the LSDB. Propagation of the crafted LSA can result in the erasure or alteration of the routing tables of routers within the routing domain, creating a denial of service condition or the re-routing of traffic on the network.

Impact

Attackers with the ability to transmit messages from a routing domain router may send specially crafted OSPF messages to erase or alter the routing tables of routers within the domain, resulting in denial of service or the re-routing of traffic on the network.

Solution

Install Updates

The OSPF protocol is a popular interior routing protocol that is used by many devices and manufacturers. This vulnerability is implementation-specific, so some vendors may not be affected. The Vendor Information section below contains known affected or non-affected vendors. Please consult your network equipment vendor to confirm how they are affected by this vulnerability.

Vendor Information

As an implementation vulnerability, CVE IDs are assigned for each known affected codebase:

    • CVE-2017-3224 has been reserved for Quagga and downstream implementations (SUSE, openSUSE, and Red Hat packages).
    • CVE-2017-3752 describes this vulnerability in affected Lenovo products.
    • CVE-2017-6770 describes this vulnerability in affected Cisco products.

793496
 
Affected   Unknown   Unaffected

Cisco

Notified:  May 12, 2017 Updated:  August 08, 2017

Statement Date:   July 26, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2017-6770 describes this vulnerability in affected Cisco products.

Vendor References

Lenovo

Notified:  May 12, 2017 Updated:  July 17, 2017

Statement Date:   July 17, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2017-3752 describes this vulnerability in affected Lenovo products.

Vendor References

Quagga

Notified:  July 17, 2017 Updated:  July 26, 2017

Statement Date:   July 25, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2017-3224 has been assigned for Quagga's affected ospfd implementation.

Red Hat, Inc.

Notified:  May 12, 2017 Updated:  July 25, 2017

Statement Date:   May 15, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2017-3224, reserved for Quagga, also applies to derivative affected Red Hat packages.

SUSE Linux

Notified:  May 12, 2017 Updated:  July 25, 2017

Statement Date:   May 16, 2017

Status

  Affected

Vendor Statement

SUSE and openSUSE package quagga and are affected by the issue

Vendor Information

CVE-2017-3224, reserved for Quagga, also applies to the affected SUSE and openSUSE packages.

openSUSE project

Notified:  May 12, 2017 Updated:  July 25, 2017

Statement Date:   May 16, 2017

Status

  Affected

Vendor Statement

SUSE and openSUSE package quagga and are affected by the issue

Vendor Information

CVE-2017-3224, reserved for Quagga, also applies to the affected SUSE and openSUSE packages.

Apple

Notified:  May 12, 2017 Updated:  June 05, 2017

Statement Date:   June 02, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  May 12, 2017 Updated:  July 17, 2017

Statement Date:   July 17, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS

Notified:  May 12, 2017 Updated:  May 12, 2017

Statement Date:   May 12, 2017

Status

  Not Affected

Vendor Statement

CoreOS's products are not vulnerable to this exploit.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  May 12, 2017 Updated:  August 17, 2017

Statement Date:   August 16, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  May 12, 2017 Updated:  July 18, 2017

Statement Date:   May 13, 2017

Status

  Not Affected

Vendor Statement

The FreeBSD base system do not ship with an OSPF, therefore we consider our product as "Not affected".

We do ship several third party OSPF routing implementations as add-on software (packages) and will keep an eye on these.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

HTC

Notified:  May 12, 2017 Updated:  May 23, 2017

Statement Date:   May 18, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies

Notified:  May 12, 2017 Updated:  July 26, 2017

Statement Date:   July 26, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  May 12, 2017 Updated:  July 17, 2017

Statement Date:   July 17, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks

Notified:  May 12, 2017 Updated:  July 17, 2017

Statement Date:   July 17, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MikroTik

Updated:  September 27, 2017

Statement Date:   September 27, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure64 Software Corporation

Notified:  May 12, 2017 Updated:  July 19, 2017

Statement Date:   July 18, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Technicolor

Updated:  October 18, 2017

Statement Date:   October 18, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  May 12, 2017 Updated:  May 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  May 12, 2017 Updated:  May 12, 2017

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  May 12, 2017 Updated:  May 12, 2017

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Alpine Linux

        Notified:  August 28, 2017 Updated:  August 28, 2017

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Amazon

          Notified:  August 28, 2017 Updated:  August 28, 2017

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Android Open Source Project

            Notified:  May 12, 2017 Updated:  May 12, 2017

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Arch Linux

              Notified:  August 28, 2017 Updated:  August 28, 2017

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Aruba Networks

                Notified:  May 12, 2017 Updated:  May 12, 2017

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  AsusTek Computer Inc.

                  Notified:  August 28, 2017 Updated:  August 28, 2017

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Avaya, Inc.

                    Notified:  May 12, 2017 Updated:  May 12, 2017

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Barnes and Noble

                      Notified:  August 28, 2017 Updated:  August 28, 2017

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Barracuda Networks

                        Notified:  August 28, 2017 Updated:  August 28, 2017

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Belkin, Inc.

                          Notified:  May 12, 2017 Updated:  May 12, 2017

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            Blue Coat Systems

                            Notified:  August 28, 2017 Updated:  August 28, 2017

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Brocade Communication Systems

                              Notified:  July 17, 2017 Updated:  July 17, 2017

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                CA Technologies

                                Notified:  August 28, 2017 Updated:  August 28, 2017

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  CMX Systems

                                  Notified:  August 28, 2017 Updated:  August 28, 2017

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    CentOS

                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Check Point Software Technologies

                                      Notified:  May 12, 2017 Updated:  May 12, 2017

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Contiki OS

                                        Notified:  August 28, 2017 Updated:  August 28, 2017

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Debian GNU/Linux

                                          Notified:  May 12, 2017 Updated:  May 12, 2017

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Dell

                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              DesktopBSD

                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                DragonFly BSD Project

                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  EMC Corporation

                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    ENEA

                                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      EfficientIP SAS

                                                      Notified:  May 12, 2017 Updated:  May 12, 2017

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Ericsson

                                                        Notified:  May 12, 2017 Updated:  May 12, 2017

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          European Registry for Internet Domains

                                                          Notified:  August 28, 2017 Updated:  August 28, 2017

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Extreme Networks

                                                            Notified:  August 28, 2017 Updated:  August 28, 2017

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              F5 Networks, Inc.

                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Fedora Project

                                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Force10 Networks

                                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Fortinet, Inc.

                                                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Foundry Brocade

                                                                      Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        GNU adns

                                                                        Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          GNU glibc

                                                                          Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Gentoo Linux

                                                                            Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Google

                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                HardenedBSD

                                                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Hewlett Packard Enterprise

                                                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Hitachi

                                                                                    Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      IBM Corporation

                                                                                      Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Infoblox

                                                                                        Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Internet Systems Consortium

                                                                                          Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Internet Systems Consortium - DHCP

                                                                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              JH Software

                                                                                              Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                Joyent

                                                                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Kyocera Communications

                                                                                                  Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    LG Electronics

                                                                                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Lynx Software Technologies

                                                                                                      Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        McAfee

                                                                                                        Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Microchip Technology

                                                                                                          Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Microsoft Corporation

                                                                                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Motorola, Inc.

                                                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                NEC Corporation

                                                                                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  NLnet Labs

                                                                                                                  Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    NetBSD

                                                                                                                    Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Netgear, Inc.

                                                                                                                      Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Nexenta

                                                                                                                        Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          Nokia

                                                                                                                          Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Nominum

                                                                                                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              OmniTI

                                                                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                OpenBSD

                                                                                                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  OpenDNS

                                                                                                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    OpenIndiana

                                                                                                                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Openwall GNU/*/Linux

                                                                                                                                      Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Oracle Corporation

                                                                                                                                        Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          Oryx Embedded

                                                                                                                                          Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Peplink

                                                                                                                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              Philips Electronics

                                                                                                                                              Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                PowerDNS

                                                                                                                                                Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  QNX Software Systems Inc.

                                                                                                                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    QUALCOMM Incorporated

                                                                                                                                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      Quadros Systems

                                                                                                                                                      Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        ReactOS

                                                                                                                                                        Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          Rocket RTOS

                                                                                                                                                          Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            SafeNet

                                                                                                                                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              Samsung Mobile

                                                                                                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                Slackware Linux Inc.

                                                                                                                                                                Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                Status

                                                                                                                                                                  Unknown

                                                                                                                                                                Vendor Statement

                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                Vendor References

                                                                                                                                                                  SmoothWall

                                                                                                                                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                  Status

                                                                                                                                                                    Unknown

                                                                                                                                                                  Vendor Statement

                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                  Vendor References

                                                                                                                                                                    Snort

                                                                                                                                                                    Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                    Status

                                                                                                                                                                      Unknown

                                                                                                                                                                    Vendor Statement

                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                    Vendor References

                                                                                                                                                                      Sony Corporation

                                                                                                                                                                      Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                      Status

                                                                                                                                                                        Unknown

                                                                                                                                                                      Vendor Statement

                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                      Vendor References

                                                                                                                                                                        Sourcefire

                                                                                                                                                                        Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                        Status

                                                                                                                                                                          Unknown

                                                                                                                                                                        Vendor Statement

                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                        Vendor References

                                                                                                                                                                          Symantec

                                                                                                                                                                          Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                          Status

                                                                                                                                                                            Unknown

                                                                                                                                                                          Vendor Statement

                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                          Vendor References

                                                                                                                                                                            TCPWave

                                                                                                                                                                            Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                            Status

                                                                                                                                                                              Unknown

                                                                                                                                                                            Vendor Statement

                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                            Vendor References

                                                                                                                                                                              TippingPoint Technologies Inc.

                                                                                                                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                              Status

                                                                                                                                                                                Unknown

                                                                                                                                                                              Vendor Statement

                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                              Vendor References

                                                                                                                                                                                Tizen

                                                                                                                                                                                Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                Status

                                                                                                                                                                                  Unknown

                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                Vendor References

                                                                                                                                                                                  TrueOS

                                                                                                                                                                                  Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                  Status

                                                                                                                                                                                    Unknown

                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                  Vendor References

                                                                                                                                                                                    Turbolinux

                                                                                                                                                                                    Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                    Status

                                                                                                                                                                                      Unknown

                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                    Vendor References

                                                                                                                                                                                      Ubiquiti Networks

                                                                                                                                                                                      Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                      Status

                                                                                                                                                                                        Unknown

                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                      Vendor References

                                                                                                                                                                                        Ubuntu

                                                                                                                                                                                        Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                        Status

                                                                                                                                                                                          Unknown

                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                        Vendor References

                                                                                                                                                                                          Unisys

                                                                                                                                                                                          Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                          Status

                                                                                                                                                                                            Unknown

                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                          Vendor References

                                                                                                                                                                                            VMware

                                                                                                                                                                                            Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                            Status

                                                                                                                                                                                              Unknown

                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                            Vendor References

                                                                                                                                                                                              Wind River

                                                                                                                                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                              Status

                                                                                                                                                                                                Unknown

                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                WizNET Technology

                                                                                                                                                                                                Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                                Status

                                                                                                                                                                                                  Unknown

                                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                Vendor References

                                                                                                                                                                                                  Xiaomi

                                                                                                                                                                                                  Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                                  Status

                                                                                                                                                                                                    Unknown

                                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                  Vendor References

                                                                                                                                                                                                    Xilinx

                                                                                                                                                                                                    Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                                    Status

                                                                                                                                                                                                      Unknown

                                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                    Vendor References

                                                                                                                                                                                                      Zephyr Project

                                                                                                                                                                                                      Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                                      Status

                                                                                                                                                                                                        Unknown

                                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                      Vendor References

                                                                                                                                                                                                        ZyXEL

                                                                                                                                                                                                        Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                                        Status

                                                                                                                                                                                                          Unknown

                                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                        Vendor References

                                                                                                                                                                                                          dnsmasq

                                                                                                                                                                                                          Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                                          Status

                                                                                                                                                                                                            Unknown

                                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                          Vendor References

                                                                                                                                                                                                            gdnsd

                                                                                                                                                                                                            Notified:  August 28, 2017 Updated:  August 28, 2017

                                                                                                                                                                                                            Status

                                                                                                                                                                                                              Unknown

                                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                            Vendor References

                                                                                                                                                                                                              m0n0wall

                                                                                                                                                                                                              Notified:  May 12, 2017 Updated:  May 12, 2017

                                                                                                                                                                                                              Status

                                                                                                                                                                                                                Unknown

                                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                                View all 121 vendors View less vendors


                                                                                                                                                                                                                CVSS Metrics

                                                                                                                                                                                                                Group Score Vector
                                                                                                                                                                                                                Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P
                                                                                                                                                                                                                Temporal 4.9 E:POC/RL:ND/RC:C
                                                                                                                                                                                                                Environmental 3.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

                                                                                                                                                                                                                References

                                                                                                                                                                                                                Acknowledgements

                                                                                                                                                                                                                Thanks to Adi Sosnovich, Orna Grumberg, and Gabi Nakibly for reporting this vulnerability.

                                                                                                                                                                                                                This document was written by Joel Land.

                                                                                                                                                                                                                Other Information

                                                                                                                                                                                                                CVE IDs: CVE-2017-3224, CVE-2017-3752, CVE-2017-6770
                                                                                                                                                                                                                Date Public: 2017-07-27
                                                                                                                                                                                                                Date First Published: 2017-07-27
                                                                                                                                                                                                                Date Last Updated: 2017-10-18 14:19 UTC
                                                                                                                                                                                                                Document Revision: 35

                                                                                                                                                                                                                Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.