[Xorp-hackers] XORP_SA_06:01.ospf: An LSA with invalid length will crash OSPFv2

Atanu Ghosh atanu at ICSI.Berkeley.EDU
Tue Oct 17 16:01:03 PDT 2006 

=============================================================================
XORP_SA_06:01.ospf				            Security Advisory
						             The XORP Project


Topic:		An LSA with invalid length will crash OSPFv2

Module:		OSPF
Announced:	2006-10-17
Credits:	http://www.musecurity.com/
Affects:	XORP 1.2 and XORP 1.3 Releases
Corrected:	2006-10-16 06:50:04 UTC (Release 1.4-WIP)

I.	Background

OSPFv2 is a link-state routing protocol defined in RFC 2328,
implemented by the XORP project.

II.	Problem Description

The OSPF protocol carries link state information in Link State
Advertisements (LSAs). One or more LSAs can be carried in a Link State
Update Packet. Each LSA has its own length field and checksum amongst
other fields.

One of the first checks made when processing an LSA is to verify the
checksum. The checksum verification routine takes into account the
LSA length field. If the length field has certain invalid values, then
OSPF might crash.

III.	Impact

An attacker sending specially crafted packets with certain invalid LSA
length value will be able to terminate the XORP OSPF process.

It should be noted that the attacker does not need to be on the same
network segment as the XORP router.

IV.	Workaround

One possible workaround is to filter all external IP packets with protocol
number 89 (OSPF) at the border router.

V.	Solution

Apply the relevant patch to your XORP system and restart OSPF.

1) To patch your present system:

[XORP 1.2]
# wget http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.2.patch

[XORP 1.3]
# wget http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.3.patch

2) Execute the following commands (only the last one has to be as root):

# cd xorp
# patch -p0 < /path/to/patch
# gmake
# cd ospf
# gmake install

3) Restart OSPFv2

a) Save the current configuration to a file.

# xorpsh
Xorp> configure
XORP# save /tmp/xorp.boot

b) Delete ospf4 from the configuration and commit. OSPFv2 should no
longer be running.

XORP# delete protocols ospf4
XORP# commit

c) Reload the saved configuration, which will restart OSPFv2
XORP# load /tmp/xorp.boot

VI.	Correction details

The following list contains the revision numbers of each file that was
corrected in XORP.

Branch                                                           Revision
  Path
-------------------------------------------------------------------------
HEAD
  xorp/ospf/lsa.cc                                                   1.72
-------------------------------------------------------------------------

VII.	References

The latest revision of this advisory is available at:
http://www.xorp.org/advisories/XORP_SA_06:01.ospf.txt

=============================================================================

More information about the Xorp-hackers mailing list