Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2013-07 Out of Cycle Security Bulletin: Multiple products: OSPF protocol vulnerability (CVE-2013-0149)



Article ID: JSA10582 SECURITY_ADVISORIES Last Updated: 21 Aug 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
All Juniper Networks platforms running Junos Operating System software, JunosE Operating System software, and ScreenOS software
 A vulnerability has been discovered in the OSPF (Open Shortest Path First) protocol that allows a remote attacker to insert, update, or delete routes in the OSPF database. Juniper has worked to provide fixes for all supported code that is vulnerable to this issue.

The issue lies in the OSPF protocol (RFC 2328: OSPF does not specify that the 'Link State ID' and 'Advertising Router' fields need to match when a router receives an OSPF link-state advertisement (LSA). This limitation of the protocol specification would allow for an attacker to inject false routes into the OSPF database. This issue doesn't exist if the OSPF configuration of a router is set to use MD5 Authentication, or if a filter is used to block external parties from sending OSPF link-state update (LSU) packets. This issue also does not apply to passive OSPF interfaces or interfaces that are not configured for OSPF.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2013-0149.
Releases containing (or will contain) the fix specifically include: 13.1R3, 13.2X50-D10, 12.3R3, 12.2R5, 12.1R7, 12.1X45-D10, 12.1X44-D15, 11.4R8, 10.4R15, and all subsequent releases. In addition, all Junos OS software releases built on or after 2013-07-25 will also have fixed this specific issue.

Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.

All JunosE software releases built on or after 2013-07-25 have fixed this specific issue. Please contact JTAC to request a patch or hotfix for fixes on all other supported releases of code.

Software updates to ScreenOS have been released to resolve this issue. Releases containing the fix include ScreenOS 5.4.0r28a, 6.2.0r17a, and 6.3.0r14a.

This issue is being tracked as PR 878639 (Junos), CQ95773 (JunosE), and PR 895456 (ScreenOS).

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Juniper recommends that customers use MD5 authentication when configuring OSPF. MD5 authentication completely mitigates this issue as the router will not accept an LSA without the correct MD5 auth value.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters on physical interfaces (not loopback) to limit access to the router via OSPF unless necessary.

Customers can request a hotfix for this issue on JunosE may do so by contacting JTAC.
CVSS Score:
7.8 (AV:N/AC:M/Au:N/C:N/I:P/A:C)
Severity Level:
Severity Assessment:
This issue could allow an remote attacker the ability to modify an OSPF database. For the issue to take place the attacker would need to have unfiltered access to an OSPF interface that is not using MD5 authentication. The attacker would be able to add routes, overwrite routes, and also clear the OSPF database. This attack could potentially allow an attacker to cause a denial of service or reroute traffic.
 Juniper SIRT would like to acknowledge and thank Gabi Nakibly for responsibly reporting this vulnerability to CERT/CC who coordinated the multi-vendor response.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search