{"vuid":"VU#959203","idnumber":"959203","name":"Cisco IOS OSPF neighbor IO buffer overflow","keywords":["Cisco","IOS","OSPF","neighbor list","neighbor array","IO memory","buffer overflow","OoopSPF","CSCdp58462"],"overview":"Cisco Internetwork Operating System (IOS) is the operating system for the majority of Cisco routers. Open Shortest-Path First (OSPF) is an interior routing protocol. A flaw in some Cisco IOS versions can allow a buffer overflow when handling a large number of OSPF neighbor connection requests.","clean_desc":"In OSPF (defined by RFC 1247), adjacent routers connect as \"neighbors\" to exchange routing information. Older versions of Cisco IOS, specifically v11.1 through 12.0, do not securely handle a large number of neighbors (more than 255). If an attacker configures more than 255 hosts (or spoofs that many) to try to become OSPF neighbors of a router running a vulnerable version of Cisco IOS, a table overflows. An attacker must be able to send OSPF packets to the router.","impact":"An attacker can cause a denial of service. It may be possible to execute arbitrary shell code.","resolution":"Upgrade Upgrade to a version of IOS after v12.0.","workarounds":"Workaround Filter OSPF Packets If upgrading is problematic, you can configure the router to filter OSPF packets. OSPF communicates using the IP protocol \"ospf\" and can be filtered as that protocol. Unlike TCP-based and UDP-based protocols, no port number is required. See Cisco's Response for its instructions on how to configure the filtering.","sysaffected":"","thanks":"This issue was first reported by FX of Phenoelit Group.","author":"This document was written by Hal Burch.","public":["http://www.phenoelit.de/stuff/19C3.pdf","http://www.cisco.com/warp/public/707/cisco-sn-20030221-ospf.shtml","http://www.securityfocus.com/archive/1/312510","http://www.securityfocus.com/archive/1/312802","http://secunia.com/advisories/8130/","http://www.osvdb.org/displayvuln.php?osvdb_id=6455","http://www.securityfocus.com/bid/6895","http://xforce.iss.net/xforce/xfdb/11373"],"cveids":["CVE-2003-0100"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-02-20T22:36:23Z","publicdate":"2002-12-27T00:00:00Z","datefirstpublished":"2005-08-02T19:51:32Z","dateupdated":"2005-08-31T18:31:33Z","revision":30,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"20","cam_population":"8","cam_impact":"20","cam_easeofexploitation":"18","cam_attackeraccessrequired":"20","cam_scorecurrent":"43.2","cam_scorecurrentwidelyknown":"43.2","cam_scorecurrentwidelyknownexploited":"64.8","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":43.2,"vulnote":null}