On 8/4/13, Saku Ytti <saku@ytti.fi> wrote:
On (2013-08-03 18:38 -0500), Jimmy Hess wrote:
That's not news to me, but fully expected. Do the vendors /really/ have a code fix to what would seem to be an inherent problem; if you failed to properly secure your OSPF implementation (via MD5 authentication)? It is news to me. It's design flaw in the protocol itself which has gone unnoticed for two decades and I would have naively fully expected that this flaw does not exist in standard.
I would say the risk score of the advisory is overstated. And if you think "ospf is secure" against LAN activity after any patch, that would be wishful thinking. Someone just rediscovered one of the countless innumerable holes in the back of the cardboard box and tried covering it with duck tape... What is the rationale for overlooking or ignoring the possibility that an attacker can introduce a device with /faithful/ correct implementation of the protocol with bad/malicious data intentionally advertised by the "Rogue speaker" ? This could be as simple as inserting a real router (which can be just a piece of software) on a broadcast LAN with a proper OSPF implementation but malicious configuration -- in that routes configured for advertisement are bogus ones, or a router ID is intentionally chosen to conflict with the router ID of another device. In addition, the rogue router, can be configured such that it forces an election and becomes the DR. Just a few examples -- -JH