back to article Cisco patches OSPF bug that sends traffic into black holes

Cisco has shipped a patch for a buggy Open Shortest Path First (OSPF) routing implementation it says offers exploits that include traffic blackholing or interception. As the advisory notes, the vulnerability “could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, …

COMMENTS

This topic is closed for new posts.
  1. Christian Berger

    There's always a slight chance...

    that Cisco actually fixes their bugs.

    The strategy of the NSA is not to do the bare minimum to get to the data, but to do everything they can. So they probably knew about such bugs, but still added hardware... just because they can and they want to have redundancy.

    1. Anonymous Coward
      Anonymous Coward

      Re: There's always a slight chance...

      Your paranoia knows no bounds.

      1. Pascal Monett Silver badge

        Doesn't mean he's wrong, though.

    2. Anonymous Coward
      Anonymous Coward

      Re: There's always a slight chance...

      I'd bet a wedge of my pension that NSA were well aware of this.

      Why do you think they hate Huawei?

  2. Anonymous Coward
    Anonymous Coward

    Another day....

    ...another Cisco bug.

    They are turning into the Java of the hardware world.

  3. Binnacle

    fixed for one year

    Fixed versions of firmware starting appearing 12 or more months ago.

    Most shops will already have the vulnerability patched.

    1. Preston Munchensonton
      Boffin

      Re: fixed for one year

      Most shops aren't vulnerable if they follow best practices. Easiest workaround is to enable MD5 authentication for neighbor relationships. Those who don't have authentication enabled for routing protocols deserve exactly what they get.

  4. Chris Miller

    OSPF was (historically, at least) a poor relation on Cisco kit. Cisco preferred their proprietary (E)IGRP, which gave better customer lock-in.

    Factoid: the Open in OSPF is an adjective, not a verb.

    1. garden-snail
      Go

      OSPF

      I never even considered the Open in OSPF as a verb. Now you mention it, it actually flows a lot better that way.

      I'm going to start thinking about that way, even if it's wrong. "Router! Open my shortest path!"

  5. Anonymous Coward
    Anonymous Coward

    I think the NSA didn't use it as an attack vector because nobody runs OSPF on the wan side of internet routable kit, if they're not mental.

    1. elip
      Pint

      werd

      the internet's plumbing is made of BGP and DNS...may $DEITY have mercy upon our frames.

  6. Glen Turner 666

    Not too bad

    This isn't too bad for a well designed network.

    (1) OSPF shouldn't be seen or accepted on the leaf subnets used by computers. (2) It requires the defeat of OSPF authentication (easy or hard, depending solely upon the randomness of of the key).

    A surprising element is that Cisco's OSPF will accept unicast OSPF from anyone, not just predefined unicast neighbours. That's something to add to the router protection access control lists.

    On a poorly designed network this is a bit of a disaster, since the only recovery is to reboot the router (which isn't really an issue: since it has just blackholed all IPv4 traffic the router was no longer doing much worthwhile anyway). By far the quickest work-around for those networks is to deploy OSPF MD5 authentication.

This topic is closed for new posts.

Other stories you might like