Re: Linux kernel handling of IPv6 temporary addresses

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/14/2012 10:14 AM, Greg KH wrote:
> On Wed, Nov 14, 2012 at 10:43:22AM +0200, George Kargiotakis
> wrote:
> > Hello all,
> >
> > Due to the way the Linux kernel handles the creation of IPv6
> > temporary addresses a malicious LAN user can remotely disable
> > them altogether which may lead to privacy violations and
> > information disclosure.
> >
> > By default the Linux kernel uses the 'ipv6.max_addresses' option
> > to specify how many IPv6 addresses an interface may have. The 
> > 'ipv6.regen_max_retry' option specifies how many times the kernel
> > will try to create a new address.
> >
> > Currently, in net/ipv6/addrconf.c,lines 898-910, there is no 
> > distinction between the events of reaching max_addresses for an 
> > interface and failing to generate a new address. Upon reaching
> > any of the above conditions the following error is emitted by the
> > kernel times 'regen_max_retry' (default value 3):
> >
> > [183.793393] ipv6_create_tempaddr(): retry temporary address 
> > regeneration [183.793405] ipv6_create_tempaddr(): retry
> > temporary address regeneration [183.793411]
> > ipv6_create_tempaddr(): retry temporary address regeneration
> >
> > After 'regen_max_retry' is reached the kernel completely
> > disables temporary address generation for that interface.
> >
> > [183.793413] ipv6_create_tempaddr(): regeneration time exceeded
> > - disabled temporary address support
> >
> > RFC4941 3.3.7 specifies that disabling temp_addresses MUST happen
> > upon failure to create non-unique addresses which is not the
> > above case. Addresses would have been created if the kernel had a
> > higher 'ipv6.max_addresses' limit.
> >
> > A malicious LAN user can send a limited amount of RA prefixes and
> > thus disable IPv6 temporary address creation for any Linux host.
> > Recent distributions which enable the IPv6 Privacy extensions by
> > default, like Ubuntu 12.04 and 12.10, are vulnerable to such
> > attacks.
> >
> > Due to the kernel's default values for valid (604800) and
> > preferred (86400) lifetimes, this scenario may even occur under
> > normal usage when a Router sends both a public and a ULA prefix,
> > which is not an uncommon scenario for IPv6. 16 addresses are not
> > enough with the current default timers when more than 1 prefix is
> > advertised.
> >
> > The kernel should at least differentiate between the two cases
> > of reaching max_addresses and being unable to create new
> > addresses, due to DAD conflicts for example.
>
> Have you discussed this with the upstream Linux kernel networking 
> developers?
>
> thanks,
>
> greg k-h


Sounds like this needs a CVE, is it correct that: an attacker can
create a bunch of RA prefixes thus filling up the # of allowed IPv6
addresses for an interface, preventing any more IPv6 addresses from
being assigned to that interface? In other words an attack over the
local network resulting in a DoS condition.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQvtCRAAoJEBYNRVNeJnmTlagQAKgjCVHvmGl2fjDLLkK0i37X
sI+osD8jJSpyVEezch2moD4d6YpSRzpIULoCms7HQw6JdgGX4U1ArJdWkZd4HVQb
Tbj1XdfoKQesLBMXH314565Ui+BJnGo46C01yPltiMlrcsMQtYUqb5HeG1RPUlS1
y9AL0/sVAq/cSUv3X+kHddiDKY7Pwk/kxa59EQ8piKsfHvFAqbgPyWFJldYN2z5C
lfdlgxej3ISa+gzYVkp5QAI5NdmmuqmdN8ki3dJwyR1SrWhGMBFV2rJt2IKhA1a7
OfacRZAQqcoE2wQ/4ss+3oYcdVQQUP9ykr3sphL5AjPcOs2B38bwrRt/OIHVMjB5
wl0vCflU9Xwdhv+stw6He6XQw+EXGMxcaguxp0vXOF3ROhLczV6JKCX5GEVJ6IUS
Z6bDiWLcq/bj5rkDZRCI/zRCyIEOqVWq2KDECKJ1cM4A4jknCGi9BUtkEFtWBjaq
NvF04rTKx+T8ie5nNuj9pXX+h/EsglHKtQu7WRWAI9r+ooCsMUzpweeFF7HhZa1a
CMGogVuplgUxqqvwAJ3NjJXGCee6qRpOFC+3o5kZlnlATOP6sqr3y/DjH30pK6k7
y5cM8z8vdxhRfIlTTiCe7JKIEVVuL0sbuMHFytUt8pjpAFUL+3fN9x0BezxwtSxr
XNcQ1KEm6ZF8lzSmGY/l
=JrA2
-----END PGP SIGNATURE-----