Cisco AS5350 IOS 12.3(1a) OSPF bug?

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear vuln-dev,

  There is a bug in Cisco IOS, _may be_ with security impact of changing
  OSPF routing table from untrusted connection.

  If OSPF is enabled with configuration like

router ospf 1
 log-adjacency-changes                        
 redistribute connected subnets route-map ospf
 redistribute static subnets route-map ospf   
 network 192.168.100.0 0.0.1.255 area 1

  OSPF  is propagated via multicast (OSPF HELO is active) to _all_ peers
  _regardless_ of address (including all async dialup connections).

  Because  I  have  access  to only one router in this configuration and
  it's  in  production  environment  I  was  not  able  to check if it's
  possible to negotiate OSPF and change route table from async interface
  or not.

 passive-interface Group-Async0

  fixes the problem.

  Tested with Cisco AS5350 flash image c5350-is-mz.123-1a.bin

  12.2(3) is not vulnerable.

  Can somebody reproduce/confirm this problem and check if it's possible
  to set OSPF connection?

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/