Headline
CVE-2017-6770: Cisco Security Advisory: Multiple Cisco Products OSPF LSA Manipulation Vulnerability
Cisco IOS 12.0 through 15.6, Adaptive Security Appliance (ASA) Software 7.0.1 through 9.7.1.2, NX-OS 4.0 through 12.0, and IOS XE 3.6 through 3.18 are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated, remote attacker to take full control of the OSPF Autonomous System (AS) domain routing table, allowing the attacker to intercept or black-hole traffic. The attacker could exploit this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause the targeted router to flush its routing table and propagate the crafted OSPF LSA type 1 update throughout the OSPF AS domain. To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast OSPF LSA type 1 packets. No other LSA type packets can trigger this vulnerability. OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is not affected by this vulnerability. Cisco Bug IDs: CSCva74756, CSCve47393, CSCve47401.
This vulnerability affects the following Cisco products with an OSPF implementation. Refer to the Fixed Software section for information on fixed software.
Note: This vulnerability can be triggered only by targeting the OSPF multicast address or directly targeting OSPF-enabled interfaces.
FSPF is not affected by this vulnerability.
Cisco IOS and Cisco IOS XE Software
Cisco devices that are running Cisco IOS or Cisco IOS XE Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.
OSPFv3 is not affected by this vulnerability.
To determine if a Cisco IOS or Cisco IOS XE device is configured with OSPF on an interface, use the show ip ospf interface command. The following example is the output of the show ip ospf interface command on a Cisco IOS device configured with OSPF and enabled on the GigabitEthernet0/0/1 interface:
Router# show ip ospf interface
GigabitEthernet0/0/1 is up, line protocol is up Internet Address 192.168.2.4/24, Area 0, Attached via Network Statement Process ID 1, Router ID 10.10.10.4, Network Type BROADCAST, Cost: 1 Topology-MTID Cost Disabled Shutdown Topology Name 0 1 no no Base Transmit Delay is 1 sec, State DR, Priority 1 . . .
To determine the Cisco IOS or Cisco IOS XE Software release that is running on a Cisco product, administrators can log into the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1 with an installed image name of C3900-UNIVERSALK9-M:
Router# show version Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright © 1986-2009 by cisco Systems, Inc. Compiled Wed 02-Dec-09 17:17 by prod_rel_team . . .
Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.
Cisco Adaptive Security Appliance
Cisco devices that are running Cisco Adaptive Security Appliance (ASA) Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability.
OSPFv3 is not affected by this vulnerability.
To determine if a Cisco ASA device is configured with OSPF on an interface, use the show ospf interface brief command. The following example is the output of the show ospf interface brief command on a Cisco ASA device configured with OSPF and enabled on the inside interface:
ciscoasa# show ospf interface brief Interface PID Area IP Address/Mask Cost State Nbrs F/C inside 1 1 10.10.10.1/255.255.255.0 10 WAIT 0/0 ciscoasa#
To determine the version of software that is running on a Cisco ASA, Cisco ASA-SM, or Cisco Pix security appliances, use the show version command from the CLI. The following is an example of the output from the show version command:
ciscoasa# show version | include Software Cisco Adaptive Security Appliance Software Version 9.3(1) ciscoasa#
Cisco NX-OS Software
Cisco devices that are running Cisco NX-OS Software and configured for OSPF are vulnerable. Devices that do not have OSPF enabled are not affected by this vulnerability. To determine if a Cisco NX-OS device is configured with OSPF on an interface, use the show ip ospf interface command similar to the example provided in the Cisco IOS and Cisco IOS XE Software section.
To determine the version of Cisco NX-OS Software that is running on Cisco Nexus 3000, 5000, 6000, 7000 and 9000 series devices, use the show version command from the CLI. The following is an example of the output from the show version command:
switch# show version | grep system: system: version 7.3(1)D1(1) switch#
Exploiting the vulnerability on a Cisco Nexus device will not affect the local routing table of a Cisco Nexus device. However, the Cisco Nexus device will install and propagate the crafted LSA to other devices in the OSPF area. Crafted LSA propagated to other routers that are part of the same OSPF AS may affect the routing tables across the OSPF AS.
No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Cisco IOS XR Software
- Cisco StarOS Software
- Cisco Connected Grid Routers
- Cisco Nexus 1000v Series