A vulnerability was discovered in several OSPF implementations, including Quagga. A malicious OSPF peer, or an attacker able to spoof messages from an OSPF peer, could send a crafted message that would result in erasure or alteration of the routing table, resulting in denial of service or incorrect routing of traffic.
It is strongly recommended to configure Quagga to require authentication from OSPF peers (eg ip ospf authentication message-digest
). Message digest authentication effectively prevents even a man-in-the-middle attacker from exploiting this vulnerability or otherwise interfering with the routing table, as any message without a proper cryptographic signature will be rejected.