oss-sec mailing list archives
Re: CVE Request : IPv6 Hop limit lowering via RA messages
From: Loganaden Velvindron <loganaden () gmail com>
Date: Fri, 3 Apr 2015 13:57:02 +0400
On Fri, Apr 3, 2015 at 1:54 PM, D.S. Ljungmark <ljungmark () modio se> wrote:
On Fri, Apr 3, 2015 at 6:06 AM, Jim Thompson <jim () netgate com> wrote:have you considered that there might not be a relevant patch because FreeBSD’s implementation isn’t affected?sys/netinet6/nd6_rtr.c 300 if (nd_ra->nd_ra_curhoplimit) 301 ndi->chlim = nd_ra->nd_ra_curhoplimit; The only "OUT" in that function I see are tests for: Not accepting RA hoplimit on current packet != 255 not link-local No extended ipv6 header
It is vulnerable. Harrison Grundy and I worked on a patch, and sent it to secteam@.
Based on previous testing ( early March 2015), and reading of the source, I say that FreeBSD is vulnerable. Regards, D.S. LjungmarkJimOn Apr 2, 2015, at 9:15 PM, Eitan Adler <lists () eitanadler com> wrote: + FreeBSD lists since I haven't seen any relevant patches (although I might have missed them). ---------- Forwarded message ---------- From: D.S. Ljungmark <ljungmark () modio se> Date: 2 April 2015 at 10:19 Subject: [oss-security] CVE Request : IPv6 Hop limit lowering via RA messages To: oss-security () lists openwall com An unprivileged user on a local network can use IPv6 Neighbour Discovery ICMP to broadcast a non-route with a low hop limit, this causing machines to lower the hop limit on existing IPv6 routes. Linux Patch: http://www.spinics.net/lists/netdev/msg322361.html Redhat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1203712 Projects impacted: Linux kernel, NetworkManager, FreeBSD Kernel Regards, D.S. Ljungmark -- Eitan Adler _______________________________________________ freebsd-net () freebsd org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe () freebsd org"
-- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.
Current thread:
- CVE Request : IPv6 Hop limit lowering via RA messages D.S. Ljungmark (Apr 02)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Dan McDonald (Apr 02)
- Fwd: CVE Request : IPv6 Hop limit lowering via RA messages Eitan Adler (Apr 02)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Jim Thompson (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages D.S. Ljungmark (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Loganaden Velvindron (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Jim Thompson (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages cve-assign (Apr 04)
- Re: Re: CVE Request : IPv6 Hop limit lowering via RA messages Marcus Meissner (Apr 06)