[Xorp-hackers] XORP_SA_06:01.ospf: An LSA with invalid length will crash OSPFv2
Atanu Ghosh
atanu at ICSI.Berkeley.EDU
Tue Oct 17 16:01:03 PDT 2006
=============================================================================
XORP_SA_06:01.ospf Security Advisory
The XORP Project
Topic: An LSA with invalid length will crash OSPFv2
Module: OSPF
Announced: 2006-10-17
Credits: http://www.musecurity.com/
Affects: XORP 1.2 and XORP 1.3 Releases
Corrected: 2006-10-16 06:50:04 UTC (Release 1.4-WIP)
I. Background
OSPFv2 is a link-state routing protocol defined in RFC 2328,
implemented by the XORP project.
II. Problem Description
The OSPF protocol carries link state information in Link State
Advertisements (LSAs). One or more LSAs can be carried in a Link State
Update Packet. Each LSA has its own length field and checksum amongst
other fields.
One of the first checks made when processing an LSA is to verify the
checksum. The checksum verification routine takes into account the
LSA length field. If the length field has certain invalid values, then
OSPF might crash.
III. Impact
An attacker sending specially crafted packets with certain invalid LSA
length value will be able to terminate the XORP OSPF process.
It should be noted that the attacker does not need to be on the same
network segment as the XORP router.
IV. Workaround
One possible workaround is to filter all external IP packets with protocol
number 89 (OSPF) at the border router.
V. Solution
Apply the relevant patch to your XORP system and restart OSPF.
1) To patch your present system:
[XORP 1.2]
# wget http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.2.patch
[XORP 1.3]
# wget http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.3.patch
2) Execute the following commands (only the last one has to be as root):
# cd xorp
# patch -p0 < /path/to/patch
# gmake
# cd ospf
# gmake install
3) Restart OSPFv2
a) Save the current configuration to a file.
# xorpsh
Xorp> configure
XORP# save /tmp/xorp.boot
b) Delete ospf4 from the configuration and commit. OSPFv2 should no
longer be running.
XORP# delete protocols ospf4
XORP# commit
c) Reload the saved configuration, which will restart OSPFv2
XORP# load /tmp/xorp.boot
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in XORP.
Branch Revision
Path
-------------------------------------------------------------------------
HEAD
xorp/ospf/lsa.cc 1.72
-------------------------------------------------------------------------
VII. References
The latest revision of this advisory is available at:
http://www.xorp.org/advisories/XORP_SA_06:01.ospf.txt
=============================================================================
More information about the Xorp-hackers
mailing list