New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ospfd's behavior allows a malformed Router LSA to persists in the routing domain #8728
Comments
Hello, Thank's to report this issue. However, the incriminate code (line 2094 in ospfd/ospf_packet.c) made a reference to CVE-2017-3224:
So, we could correct the behaviour of OSPF in order to not reject / drop fight-back LSA, but in this case, we'll go against this CVE. Do you have an opinion about that ? Does the issue is more on the way the fight-back LSA is forge i.e. it must have seqNumber = MaxSeqNumber and age = MaxAge ? |
Thank you for your comment. From the RFC 2328 document, when a router wants to wrap around the sequence number of its router LSA ( The source cause of CVE-2017-3224 is how an OSPF router in FRRouting generates a fight-back LSA with its actual valid FRRouting addresses this issue by rejecting LSAs with MaxSequence but not MaxAge (which causes the vulnerability reported in this github Issue). Although it can prevent CVE-2017-3224 , it does not target the source cause of CVE-2017-3224 . My theory is that instead of rejecting such LSAs, we can craft the MaxSequence, MaxAge LSA with the However, I currently don't have a way to prove this. I hope that answers your question. |
This makes sense (after reading it a couple of times) ... we should probably leave this open to be addressed. It seems like a bit of a corner case, however. |
Describe the bug
ospfd rejects any LSA that has sequence number =
MaxSeqNumber
(0x7fffffff) and age different fromMaxAge
(3600). This is to addressed the vulnerability CVE-2017-3224. The code implementing this feature is located here.However, when a router want to generate a fight-back LSA with sequence number of
MaxSeqNumber - 1
(age obviously !=MaxAge
), this fight-back will be rejected by its neighbor routers. Therefore, the fight-back LSA is rendered useless.[x] Did you check if this is a duplicate issue?
[] Did you test it on the latest FRRouting/frr master branch?
To Reproduce
When I discovered the vulnerability, this is the topology that I used
With the following configurations:
The vulnerability is replicated by having the attacker flood a malformed Router LSA (modified from the current
r010_1
's router LSA) to the routing domain. This malformed Router LSA will have sequence number of MaxSeqNumber – 1 (0x7ffffffe) and age != 3600.When the router that originated this LSA (
r010_1
) receives the malformed LSA, it will issue a fight-back LSA. This fight-back LSA will have sequence number ofMaxSeqNumber
and age !=MaxAge
.However, because FRRouting’s ospfd rejects LSA with MaxSeqNumber but Age != MaxAge, this fight-back instance is rejected and will be rendered useless.
Expected behavior
The malformed router LSA sent by the attacker will persists in the Link State Database (LSDB) of all other router except
r010_1
.r010_1
will keep sending the fight-back LSA because it's not accepted and acked byr010_5
.The attack impacts depend on the content of the malformed LSA (e.g bring down connection to
r010_1
)Screenshots
The log file of
r010_5
indicating that it rejects the fight-back LSA.r010_1
keeps sending the rejected fight-back LSA (note that no LS Ack is issued).Versions
Additional context
The topology is emulated with Mininet 2.3.0
The text was updated successfully, but these errors were encountered: