oss-sec mailing list archives

Re: Re: CVE Request : IPv6 Hop limit lowering via RA messages

From: Marcus Meissner <meissner () suse de>
Date: Tue, 7 Apr 2015 07:20:40 +0200

Hi,

This is CERT VU#711516.

(The IPv6 gurus might disagree on CVE worthyness .. Rogue L2 nodes
 in a IPv6 network can do more damage even.)

Ciao, Marcus
On Sat, Apr 04, 2015 at 03:27:49AM -0400, cve-assign () mitre org wrote:

An unprivileged user on a local network can use IPv6 Neighbour
Discovery ICMP to broadcast a non-route with a low hop limit, this
causing machines to lower the hop limit on existing IPv6 routes.

Projects impacted:  Linux kernel,  NetworkManager, FreeBSD Kernel

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a


Use CVE-2015-2922 for the Linux kernel vulnerability.

https://lists.freebsd.org/pipermail/freebsd-net/2015-April/041934.html


Use CVE-2015-2923 for the FreeBSD vulnerability.

,  NetworkManager


This might refer to
http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/rdisc/nm-lndp-rdisc.c

  hop_limit = ndp_msgra_curhoplimit (msgra);
  if (rdisc->hop_limit != hop_limit) {
          rdisc->hop_limit = hop_limit;
          changed |= NM_RDISC_CONFIG_HOP_LIMIT;

however, the MITRE CVE team is not directly familiar with this part of
the NetworkManager code and has not researched any changes to the
"rdisc->hop_limit != hop_limit" test. There is apparently no commit
available yet at:

  http://cgit.freedesktop.org/NetworkManager/NetworkManager/log/src/rdisc/nm-lndp-rdisc.c

but, again, we don't know whether changes would need to occur there.

Use CVE-2015-2924 for the NetworkManager vulnerability.


Also, note that

  http://patchwork.ozlabs.org/patch/453995/

refers to affected closed-source products. (CVE IDs for closed-source
products would be announced elsewhere.) It also refers to Android. We
don't know whether Android was listed only because of a
shared-codebase issue, e.g.,

  https://android.googlesource.com/kernel/common/+/android-3.18/net/ipv6/ndisc.c

(there is no commit at
https://android.googlesource.com/kernel/common/+log/android-3.18/net/ipv6/ndisc.c
currently)

or whether Android is affected in other ways. Unless there is
incorrect hop_limit processing in code that is specific to Android,
Android would not have a unique CVE ID.

-- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Current thread:

CVE Request : IPv6 Hop limit lowering via RA messages D.S. Ljungmark (Apr 02)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Dan McDonald (Apr 02)
- Fwd: CVE Request : IPv6 Hop limit lowering via RA messages Eitan Adler (Apr 02)
  - Re: CVE Request : IPv6 Hop limit lowering via RA messages Jim Thompson (Apr 03)
    - Re: CVE Request : IPv6 Hop limit lowering via RA messages D.S. Ljungmark (Apr 03)
    - Re: CVE Request : IPv6 Hop limit lowering via RA messages Loganaden Velvindron (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages cve-assign (Apr 04)
  - Re: Re: CVE Request : IPv6 Hop limit lowering via RA messages Marcus Meissner (Apr 06)