oss-sec mailing list archives
Re: Re: CVE Request : IPv6 Hop limit lowering via RA messages
From: Marcus Meissner <meissner () suse de>
Date: Tue, 7 Apr 2015 07:20:40 +0200
Hi, This is CERT VU#711516. (The IPv6 gurus might disagree on CVE worthyness .. Rogue L2 nodes in a IPv6 network can do more damage even.) Ciao, Marcus On Sat, Apr 04, 2015 at 03:27:49AM -0400, cve-assign () mitre org wrote:
An unprivileged user on a local network can use IPv6 Neighbour Discovery ICMP to broadcast a non-route with a low hop limit, this causing machines to lower the hop limit on existing IPv6 routes.Projects impacted: Linux kernel, NetworkManager, FreeBSD Kernelhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75aUse CVE-2015-2922 for the Linux kernel vulnerability.https://lists.freebsd.org/pipermail/freebsd-net/2015-April/041934.htmlUse CVE-2015-2923 for the FreeBSD vulnerability., NetworkManagerThis might refer to http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/rdisc/nm-lndp-rdisc.c hop_limit = ndp_msgra_curhoplimit (msgra); if (rdisc->hop_limit != hop_limit) { rdisc->hop_limit = hop_limit; changed |= NM_RDISC_CONFIG_HOP_LIMIT; however, the MITRE CVE team is not directly familiar with this part of the NetworkManager code and has not researched any changes to the "rdisc->hop_limit != hop_limit" test. There is apparently no commit available yet at: http://cgit.freedesktop.org/NetworkManager/NetworkManager/log/src/rdisc/nm-lndp-rdisc.c but, again, we don't know whether changes would need to occur there. Use CVE-2015-2924 for the NetworkManager vulnerability. Also, note that http://patchwork.ozlabs.org/patch/453995/ refers to affected closed-source products. (CVE IDs for closed-source products would be announced elsewhere.) It also refers to Android. We don't know whether Android was listed only because of a shared-codebase issue, e.g., https://android.googlesource.com/kernel/common/+/android-3.18/net/ipv6/ndisc.c (there is no commit at https://android.googlesource.com/kernel/common/+log/android-3.18/net/ipv6/ndisc.c currently) or whether Android is affected in other ways. Unless there is incorrect hop_limit processing in code that is specific to Android, Android would not have a unique CVE ID. -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Current thread:
- CVE Request : IPv6 Hop limit lowering via RA messages D.S. Ljungmark (Apr 02)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Dan McDonald (Apr 02)
- Fwd: CVE Request : IPv6 Hop limit lowering via RA messages Eitan Adler (Apr 02)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Jim Thompson (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages D.S. Ljungmark (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Loganaden Velvindron (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages Jim Thompson (Apr 03)
- Re: CVE Request : IPv6 Hop limit lowering via RA messages cve-assign (Apr 04)
- Re: Re: CVE Request : IPv6 Hop limit lowering via RA messages Marcus Meissner (Apr 06)