OSPF Vulnerability - Owning the Routing Table
Hi, Does anybody have details on what this vulnerability is? https://www.blackhat.com/us-13/briefings.html#Nakibly Glen
Glen Kent wrote:
Hi,
Does anybody have details on what this vulnerability is?
https://www.blackhat.com/us-13/briefings.html#Nakibly
Glen
Could it be related to: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s... announced very recently? There is a little more information here than in your link, but not enough to go out and reproduce the problem.
Cisco published an advisory on OSPF vulnerability yesterday I think. I assume it's related. OSPFv3 is not vulnerable, and connections protected by MD5 are safe too, apparently. Aled On 2 August 2013 17:40, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Does anybody have details on what this vulnerability is?
https://www.blackhat.com/us-13/briefings.html#Nakibly
Glen
On 8/2/13, Aled Morris <aledm@qix.co.uk> wrote:
Cisco published an advisory on OSPF vulnerability yesterday I think. I assume it's related. OSPF is a dynamic routing protocol. It automatically discovers neighbors on a multi-access segment claiming to be routers.
In what way could it possibly be unexpected that an attacker can pose as a router and inject false routes; if an attacker able to emit multicast to OSPF multicast address onto a LAN speaking OSPF? That's not news to me, but fully expected. Do the vendors /really/ have a code fix to what would seem to be an inherent problem; if you failed to properly secure your OSPF implementation (via MD5 authentication)?
OSPFv3 is not vulnerable, and connections protected by MD5 are safe too, apparently.
Aled -- -JH
On (2013-08-03 18:38 -0500), Jimmy Hess wrote:
That's not news to me, but fully expected. Do the vendors /really/ have a code fix to what would seem to be an inherent problem; if you failed to properly secure your OSPF implementation (via MD5 authentication)?
It is news to me. It's design flaw in the protocol itself which has gone unnoticed for two decades and I would have naively fully expected that this flaw does not exist in standard. As I've understood issue lies in the fact that 'link state id' and 'advertising router' should always be the same (so it's redundant information in the LSA, single field should suffice?). But standard does not enforce this at all. Victim will omit doing corrective reflood for received bogus LSA if 'advertising router' is something else than 'router-id', even while 'link state id' == 'router-id' I suppose vendors implement fix where either a) corrective reflood occur if 'link state id' == 'router-id' or b) LSA is rejected unless 'link state id' == 'advertising router' How serious or new this is, may be debatable, as only thing it seems remove, is the need for attacker to inject 0.2pps worth of packets which will suppress the corrective reflooding. -- ++ytti
On 8/4/13, Saku Ytti <saku@ytti.fi> wrote:
On (2013-08-03 18:38 -0500), Jimmy Hess wrote:
That's not news to me, but fully expected. Do the vendors /really/ have a code fix to what would seem to be an inherent problem; if you failed to properly secure your OSPF implementation (via MD5 authentication)? It is news to me. It's design flaw in the protocol itself which has gone unnoticed for two decades and I would have naively fully expected that this flaw does not exist in standard.
I would say the risk score of the advisory is overstated. And if you think "ospf is secure" against LAN activity after any patch, that would be wishful thinking. Someone just rediscovered one of the countless innumerable holes in the back of the cardboard box and tried covering it with duck tape... What is the rationale for overlooking or ignoring the possibility that an attacker can introduce a device with /faithful/ correct implementation of the protocol with bad/malicious data intentionally advertised by the "Rogue speaker" ? This could be as simple as inserting a real router (which can be just a piece of software) on a broadcast LAN with a proper OSPF implementation but malicious configuration -- in that routes configured for advertisement are bogus ones, or a router ID is intentionally chosen to conflict with the router ID of another device. In addition, the rogue router, can be configured such that it forces an election and becomes the DR. Just a few examples -- -JH
On (2013-08-04 05:01 -0500), Jimmy Hess wrote:
I would say the risk score of the advisory is overstated. And if you think "ospf is secure" against LAN activity after any patch, that would be wishful thinking. Someone just rediscovered one of the countless innumerable holes in the back of the cardboard box and tried covering it with duck tape...
I tend to agree. OTOH I'm not 100% sure if it's unexploitable outside LAN via unicast OSPF packets. But like you say MD5 offers some level of protection. I wish there would be some KDF for IGP KARP so that each LSA would actually have unique not-to-be-repeated password, so even if someone gets copy of one LSA and calculates out the MD5 it won't be relevant anymore. L2 is very dangerous in any platform I've tried, access to L2 and you can usually DoS the neighbouring router, even when optimally configured CoPP/Lo0 filter. -- ++ytti
Agree, that't why using p2p has been mentioned as BCP in networking "howto's" for at least last 10 years. Regards, Jeff On Aug 4, 2013, at 3:14 AM, "Saku Ytti" <saku@ytti.fi> wrote:
On (2013-08-04 05:01 -0500), Jimmy Hess wrote:
I would say the risk score of the advisory is overstated. And if you think "ospf is secure" against LAN activity after any patch, that would be wishful thinking. Someone just rediscovered one of the countless innumerable holes in the back of the cardboard box and tried covering it with duck tape...
I tend to agree. OTOH I'm not 100% sure if it's unexploitable outside LAN via unicast OSPF packets. But like you say MD5 offers some level of protection. I wish there would be some KDF for IGP KARP so that each LSA would actually have unique not-to-be-repeated password, so even if someone gets copy of one LSA and calculates out the MD5 it won't be relevant anymore.
L2 is very dangerous in any platform I've tried, access to L2 and you can usually DoS the neighbouring router, even when optimally configured CoPP/Lo0 filter.
-- ++ytti
These were published recently: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s... http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2013-08-987&actionBtn=Search -- Tassos Glen Kent wrote on 02/08/2013 19:40:
Hi,
Does anybody have details on what this vulnerability is?
https://www.blackhat.com/us-13/briefings.html#Nakibly
Glen
Yes, these advisories (from both Cisco and Juniper), covering CVE-2013-0149, are both related to the announcement yesterday (1-Aug) at BlackHat regarding the OSPF LSA Manipulation vulnerability. Thanks, John “Optimism is the faith that leads to achievement. Nothing can be done without hope and confidence”. John Stuppi, CISSP Technical Leader Strategic Security Research jstuppi@cisco.com Phone: +1 732 516 5994 Mobile: 732 319 3886 CCIE, Security - 11154 Cisco Systems Mail Stop INJ01/2/ 111 Wood Avenue South Iselin, New Jersey 08830 United States Cisco.com Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html -----Original Message----- From: Tassos Chatzithomaoglou [mailto:achatz@forthnetgroup.gr] Sent: Friday, August 02, 2013 12:59 PM To: Glen Kent; nanog@nanog.org Subject: Re: OSPF Vulnerability - Owning the Routing Table These were published recently: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-s... http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2013-08-987&actionBtn=Search -- Tassos Glen Kent wrote on 02/08/2013 19:40:
Hi,
Does anybody have details on what this vulnerability is?
https://www.blackhat.com/us-13/briefings.html#Nakibly
Glen
So, only Cisco and Juniper are hit by this one? What about "the rest"? Michael Am 02.08.2013 21:34, schrieb John Stuppi (jstuppi):
Yes, these advisories (from both Cisco and Juniper), covering CVE-2013-0149, are both related to the announcement yesterday (1-Aug) at BlackHat regarding the OSPF LSA Manipulation vulnerability.
Thanks, John
“Optimism is the faith that leads to achievement. Nothing can be done without hope and confidence”.
John Stuppi, CISSP Technical Leader Strategic Security Research jstuppi@cisco.com Phone: +1 732 516 5994 Mobile: 732 319 3886
CCIE, Security - 11154 Cisco Systems Mail Stop INJ01/2/ 111 Wood Avenue South Iselin, New Jersey 08830 United States Cisco.com
Hi, As for Ericsson (Redback) products. We found the issue quite some time ago and fixed it immediately. Smart Edge code base (SEOS) has been fixed back to the release 6.3 SSR code base (IPOS) - not affected. Please let me know if you have got any questions. Regards, Jeff On Aug 3, 2013, at 10:25, "excelsio@gmx.com" <excelsio@gmx.com> wrote:
So, only Cisco and Juniper are hit by this one? What about "the rest"? Michael
Am 02.08.2013 21:34, schrieb John Stuppi (jstuppi):
Yes, these advisories (from both Cisco and Juniper), covering CVE-2013-0149, are both related to the announcement yesterday (1-Aug) at BlackHat regarding the OSPF LSA Manipulation vulnerability.
Thanks, John
“Optimism is the faith that leads to achievement. Nothing can be done without hope and confidence”.
John Stuppi, CISSP Technical Leader Strategic Security Research jstuppi@cisco.com Phone: +1 732 516 5994 Mobile: 732 319 3886
CCIE, Security - 11154 Cisco Systems Mail Stop INJ01/2/ 111 Wood Avenue South Iselin, New Jersey 08830 United States Cisco.com
I was forwarded a link to a blog post that vividly describes the attack. Sharing it with others in case they're interested .. http://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulnerabili... Glen On Fri, Aug 2, 2013 at 10:10 PM, Glen Kent <glen.kent@gmail.com> wrote:
Hi,
Does anybody have details on what this vulnerability is?
https://www.blackhat.com/us-13/briefings.html#Nakibly
Glen
participants (9)
-
Adam Atkinson
-
Aled Morris
-
excelsio@gmx.com
-
Glen Kent
-
Jeff Tantsura
-
Jimmy Hess
-
John Stuppi (jstuppi)
-
Saku Ytti
-
Tassos Chatzithomaoglou