CVE-2006-5425

Vulnerability

XORP versions 1.2 and 1.3 contain a flaw in the OSPFv2 daemon's handling of Link State Advertisements (LSAs). During checksum verification, the daemon uses the LSA length field to calculate the payload. An invalid length value causes an out-of-bounds read, leading to a crash of the OSPF process [1].

Exploitation

An unauthenticated remote attacker can send a crafted OSPF packet containing an LSA with an invalid length field. No prior authentication or special network position is required beyond the ability to send OSPF packets to the target router. The vulnerable XORP OSPFv2 daemon will attempt to verify the checksum using the malformed length, triggering the out-of-bounds read and crashing the daemon [1].

Impact

Successful exploitation results in a denial of service (DoS) condition as the OSPF daemon crashes. This disrupts OSPF routing functionality on the affected XORP router, potentially causing network instability or loss of connectivity. The crash does not lead to code execution or data disclosure [1].

Mitigation

XORP released patches for versions 1.2 and 1.3 on October 16, 2006. Users should apply the appropriate patch: for XORP 1.2, use the patch from http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.2.patch; for XORP 1.3, use http://www.xorp.org/patches/SA-06:01/xorp_sa_06:01.ospf_1.3.patch. No workarounds are documented; upgrading to a patched version is the recommended mitigation [1].