& cplSiteName &

Cisco Reports OSPF Vulnerability

Light Reading
News Analysis
Light Reading
8/20/2004

An update to Cisco Systems Inc.'s (Nasdaq: CSCO) Internetwork Operating System (IOS) has created an opening for denial-of-service attacks, the company reported yesterday.

Some routers running the Open Shortest Path First (OSPF) protocol can be forced to reload by a certain type of "malformed" packet, according to the advisory posted on Cisco's Website. The vulnerability comes from a code change in IOS release trains 12.0S, 12.2, and 12.3.

The denial-of-service part comes in if someone bombards a vulnerable router with the bad packet, creating a perpetual state of reload.

The alert appears unrelated to the security flaw Cisco discovered in its ONS 15454 and 15327 platforms last month (see Cisco Finds ADM Security Flaw). But like the 15454 vulnerability, the OSPF flaw isn't likely to whip up a Hurricane Charley on the Internet. OSPF tends to be used for connecting routers within a network; routers pointing out to the Internet are more likely to run the Border Gateway Protocol (BGP).

Even so, security experts are saying that an internal threat is worth patching up, too. "OSPF tends to be more common in internal networks, but that doesn't mean the internal network is any less important in security," says Todd Hoopfer, director of solutions center (don't make that face; that's what they call him) at Check Point Software Technologies Ltd. (Nasdaq: CHKP).

Naturally, Checkpoint has an answer for the OSPF vulnerability. In July, the company updated its products' handling of dynamic protocols, so that its firewalls and VPNs can weed out malformed packets.

The Cisco advisory notes that using OSPF authentication -- something that's recommended anyway -- can "mitigate the effects of this vulnerability."

— Craig Matsumoto, Senior Editor, Light Reading

(8)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
bonzi0
bonzi0
12/5/2012 | 1:20:52 AM
re: Cisco Reports OSPF Vulnerability
"OSPF tends to be used for connecting routers within a network; routers pointing out to the Internet are more likely to run the Border Gateway Protocol (BGP).

Even so, security experts are saying that an internal threat is worth patching up, too. "OSPF tends to be more common in internal networks, but that doesn't mean the internal network is any less important in security," says Todd Hoopfer, director of solutions center "

Huh? if a large provider's router loses its ospf, very bad things would could likely happen to the BGP sessions that rely on the IGP.

ISP routing architecture is quite different from the enterprise architecture. I don't think the director of solutions center understands this.

digerato
digerato
12/5/2012 | 1:20:50 AM
re: Cisco Reports OSPF Vulnerability
"if a large provider's router loses its ospf, very bad things would could likely happen to the BGP sessions that rely on the IGP.

ISP routing architecture is quite different from the enterprise architecture. I don't think the director of solutions center understands this. "

If you work for an ISP that is redistributing IGP into BGP, please let us know which one it is so that the sane among us can avoid connecting to it.

Thanks,

Digerato
priam
priam
12/5/2012 | 1:20:49 AM
re: Cisco Reports OSPF Vulnerability
Not disagreeing with the sentiment here; though commonly the BGP routers rely on an IGP for mutual reachability. That being said, an ISP can effectively filter for OSPF PDUs from foreign address spaces. Not much danger, I imagine.

--------->
If you work for an ISP that is redistributing IGP into BGP, please let us know which one it is so that the sane among us can avoid connecting to it.
bonzi0
bonzi0
12/5/2012 | 1:20:48 AM
re: Cisco Reports OSPF Vulnerability
"Not disagreeing with the sentiment here; though commonly the BGP routers rely on an IGP for mutual reachability. That being said, an ISP can effectively filter for OSPF PDUs from foreign address spaces. Not much danger, I imagine."


I agree, filtering and even MD5 checksums reduce the threat to service providers. Its just that the article implied that ospf is not a critical part of the Internet. If a large service provider has problems with its ospf, it can (and has) have effects on global BGP routing.
bonzi0
bonzi0
12/5/2012 | 1:20:48 AM
re: Cisco Reports OSPF Vulnerability
"If you work for an ISP that is redistributing IGP into BGP, please let us know which one it is so that the sane among us can avoid connecting to it."

Who said anything about redistributing ospf into bgp (or bgp into ospf). if a core router in new york has a ibgp session with one in, say, dallas (it is common to have ibgp meshes in the core), how do you think the bgp packets get routed there? Its usually either ospf or isis that tells them that. If the IGP fails the bgp session will go down.
Tony Li
Tony Li
12/5/2012 | 1:20:42 AM
re: Cisco Reports OSPF Vulnerability
It's been proven time and again that the internal systems within a carrier are still vulnerable to attack, so internally generated forged OSPF packets are not unthinkable.

Tony
turing
turing
12/5/2012 | 1:20:42 AM
re: Cisco Reports OSPF Vulnerability
The point is not whether ospf is important, its how it can be attacked in the way described by the article. Digerato was saying no one redistributes their IGP into BGP because if they don't, then you can't reach their IGP node's ospf process from outside. Priam was saying you can also easily filter out ospf packets at border routers.
The only real threat is if you have an internal attacker. That's what the solutions center guy meant. The reality is if you run ospf and not authentication then you'd better trust your internal people already because there are a lot easier ways to attack ospf than this bug.
priam
priam
12/5/2012 | 1:20:40 AM
re: Cisco Reports OSPF Vulnerability
Absolutely. For just that reason, the attacker with enough access to the infrastructure to launch this particular exploit probably has enough access to screw up just about whatever he wants. I won't name names, but a significant amount of equipment out there will still fall over from crufty old SNMP exploits.

Two morals:
a) the infrastructure really needs to get locked down better
b) this particular exploit is no more worrisome that a lot of other stuff

------------>
It's been proven time and again that the internal systems within a carrier are still vulnerable to attack, so internally generated forged OSPF packets are not unthinkable.
Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Sports Venues: Where 5G Brings a Truly Immersive Experience
By Peter Linder, 5G Evangelist, North America, Ericsson
Multiband Microwave Provides High Capacity & High Reliability for 5G Transport
By Don Frey, Principal Analyst, Transport & Routing, Ovum
All Partner Perspectives