SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#472363

IPv6 implementations insecurely update Forwarding Information Base

Overview

A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded.

I. Description

IPv6 networks use the Neighbor Discovery Protocol (NDP) to detect and locate routers and other on-link IPv6 nodes. NDP uses ICMPv6 types 133, 134, 135, and 136. Neighbor solicitation (type 135) messages are used by NDP to discover and determine the reachability of nearby IPv6 nodes. Nodes that can send each other NDP messages are considered to be on-link (as per RFC 4861).

After receiving a neighbor solicitation request from a system that is on-link and is using a spoofed IPv6 address as the source address, a router will create a neighbor cache entry. When this entry is made, some IPv6 implementations will create a Forwarding Information Base (FIB) entry. This FIB entry may cause the router to incorrectly forward traffic to the device that sent original spoofed neighbor solicitation request.

Note that an attacker must have IPv6 connectivity to the same router as their target for this vulnerability to be exploited. Although this vulnerability has only a local attack vector (NDP messages are not forwarded by routers), flat IPv6 networks can include many hosts and may cover large geographical distances as compared to IPv4 networks.

Similar problems to this issue have been discussed in RFC 3756 "IPv6 Neighbor Discovery (ND) Trust Models and Threats."

II. Impact

An attacker may be able to intercept private network traffic. Receiving the traffic may cause links to become congested or saturated due to the additional bandwidth. Administrators are encouraged to read RFC 3756 for more information about other possible vulnerabilities and impacts.

III. Solution

Consider the workarounds below and consult your vendor.

Block packets with illogical source addresses

Blocking traffic that originates from unlikely or illogical source addresses (such as addresses which are not on-link or logically part of a network assigned to an interface, such as the antispoof keyword in pf) will protect against this vulnerability. This workaround may cause unintended side-effects such as breaking some non-typical configurations. Vendors may also implement this workaround as a fix.

Use application layer encryption

Applications that use secure authentication and encryption such as https, ssh, and ipsec can mitigate this vulnerability by preventing an attacker from intercepting or parsing any data that received. Note that an attacker will probably still be able to blackhole IP addresses resulting in a local denial of service regardless of the authentication or encryption methods used. As noted in RFC 3971, it is non-trivial to use ipsec to protect the integrity of NDP messages.

Design and deploy segmented networks

In a single IPv6 prefix there are certain trust asumptions and if the same IP range is shared all clients will be considered on-link. Segmenting networks will reduce the likelihood of this and similar vulnerabilities from being exploited. Networks can be segmented by assigning unique prefixes to individual router interfaces or by using VLANs.

Systems Affected

VendorStatusDate NotifiedDate Updated
3com, Inc.Not Vulnerable2008-07-302008-09-29
ACCESSUnknown2008-07-302008-07-30
Alcatel-LucentUnknown2008-07-302008-07-30
Apple Computer, Inc.Vulnerable2008-07-302009-03-12
AT&TUnknown2008-07-302008-07-30
Avaya, Inc.Unknown2008-07-302008-07-30
Barracuda NetworksUnknown2008-09-182008-09-18
Belkin, Inc.Unknown2008-07-302008-07-30
Borderware TechnologiesUnknown2008-07-302008-07-30
BroUnknown2008-07-302008-07-30
Charlotte's Web NetworksUnknown2008-07-302008-07-30
Check Point Software TechnologiesUnknown2008-07-302008-07-30
CIACUnknown2008-07-302008-07-30
Cisco Systems, Inc.Not Vulnerable2008-07-302008-11-07
ClavisterUnknown2008-07-302008-07-30
Computer AssociatesNot Vulnerable2008-07-302008-10-02
Computer Associates eTrust Security ManagementNot Vulnerable2008-07-302008-10-02
Conectiva Inc.Unknown2008-07-302008-07-30
Cray Inc.Unknown2008-07-302008-07-30
D-Link Systems, Inc.Not Vulnerable2008-07-302008-09-29
Data Connection, Ltd.Unknown2008-07-302008-07-30
Debian GNU/LinuxNot Vulnerable2008-07-302008-10-02
DragonFly BSD ProjectUnknown2008-07-302008-07-30
EMC CorporationUnknown2008-07-302008-07-30
Engarde Secure LinuxUnknown2008-07-302008-07-30
Enterasys NetworksNot Vulnerable2008-07-302008-09-26
EricssonUnknown2008-07-302008-07-30
eSoft, Inc.Unknown2008-07-302008-07-30
Extreme NetworksVulnerable2008-07-302009-04-27
F5 Networks, Inc.Not Vulnerable2008-07-302008-09-18
Fedora ProjectUnknown2008-07-302008-07-30
Force10 Networks, Inc.Vulnerable2008-07-302008-09-30
Fortinet, Inc.Unknown2008-07-302008-07-30
Foundry Networks, Inc.Not Vulnerable2008-07-302008-10-02
FreeBSD, Inc.Vulnerable2008-07-302008-10-02
FujitsuUnknown2008-07-302008-07-30
Gentoo LinuxUnknown2008-07-302008-07-30
Global Technology AssociatesUnknown2008-07-302008-07-30
GoogleUnknown2008-08-222008-08-22
Guidance Software, Inc.Unknown2008-08-222008-08-22
Hewlett-Packard CompanyUnknown2008-07-302008-07-30
HitachiUnknown2008-07-302008-07-30
HyperchipUnknown2008-07-302008-07-30
IBM CorporationUnknown2008-07-302008-07-30
IBM Corporation (zseries)Vulnerable2008-07-302008-08-05
IBM eServerUnknown2008-07-302008-07-30
Ingrian Networks, Inc.Unknown2008-07-302008-07-30
Intel CorporationUnknown2008-09-182008-09-18
Internet Security Systems, Inc.Unknown2008-07-302008-07-30
IntotoUnknown2008-07-302008-07-30
IP FilterUnknown2008-07-302008-07-30
IP Infusion, Inc.Unknown2008-07-302008-07-30
Juniper Networks, Inc.Vulnerable2008-07-302008-10-02
Linux Kernel ArchivesUnknown2008-08-222008-08-22
Luminous NetworksUnknown2008-07-302008-07-30
m0n0wallNot Vulnerable2008-07-302008-08-05
Mandriva, Inc.Unknown2008-07-302008-07-30
McAfeeNot Vulnerable2008-07-302008-09-18
Microsoft CorporationNot Vulnerable2008-07-302008-10-01
MiredoUnknown2008-08-042008-08-04
MontaVista Software, Inc.Unknown2008-07-302008-07-30
Multitech, Inc.Unknown2008-07-302008-07-30
NEC CorporationUnknown2008-07-302008-07-30
NetAppUnknown2008-07-302008-07-30
NetBSDVulnerable2008-07-302008-10-29
netfilterUnknown2008-07-302008-07-30
NextHop Technologies, Inc.Unknown2008-07-302008-07-30
NokiaUnknown2008-07-302008-07-30
Nortel Networks, Inc.Unknown2008-07-302008-07-30
Novell, Inc.Unknown2008-07-302008-07-30
OpenBSDVulnerable2008-07-302008-10-03
Openwall GNU/*/LinuxNot Vulnerable2008-07-302008-08-13
PePLinkNot Vulnerable2008-07-302008-09-19
Process SoftwareUnknown2008-07-302008-07-30
Q1 LabsNot Vulnerable2008-07-302008-08-04
QNX, Software Systems, Inc.Unknown2008-07-302008-07-30
QuaggaNot Vulnerable2008-07-302008-07-31
RadWare, Inc.Not Vulnerable2008-07-302008-07-31
Red Hat, Inc.Not Vulnerable2008-07-302008-07-31
Redback Networks, Inc.Not Vulnerable2008-07-302008-09-29
Secure Computing Network Security DivisionUnknown2008-07-302008-07-30
Secureworx, Inc.Unknown2008-07-302008-07-30
Silicon Graphics, Inc.Unknown2008-07-302008-07-30
Slackware Linux Inc.Unknown2008-07-302008-07-30
SmoothWallNot Vulnerable2008-07-302008-09-19
SnortUnknown2008-07-302008-07-30
Soapstone NetworksUnknown2008-07-302008-07-30
Sony CorporationUnknown2008-07-302008-07-30
SourcefireUnknown2008-07-302008-07-30
StonesoftUnknown2008-07-302008-07-30
Sun Microsystems, Inc.Not Vulnerable2008-07-302008-07-31
SUSE LinuxNot Vulnerable2008-07-302008-10-07
Symantec, Inc.Unknown2008-07-302008-07-30
The SCO GroupUnknown2008-07-302008-07-30
TippingPoint, Technologies, Inc.Not Vulnerable2008-07-302008-09-29
TurbolinuxUnknown2008-07-302008-07-30
U4EA Technologies, Inc.Unknown2008-09-182008-09-18
UbuntuUnknown2008-07-302008-07-30
UnisysUnknown2008-07-302008-07-30
VyattaUnknown2008-07-302008-07-30
Watchguard Technologies, Inc.Unknown2008-07-302008-07-30
Wind River Systems, Inc.Vulnerable2008-07-302008-11-03
ZyXELUnknown2008-07-302008-10-02

References


http://tools.ietf.org/html/rfc4861
http://tools.ietf.org/html/rfc4861#section-2.1
http://www.ietf.org/rfc/rfc2461.txt
http://www.ietf.org/rfc/rfc3756.txt
http://www.ietf.org/rfc/rfc3177.txt
http://tools.ietf.org/html/rfc3971
http://docs.sun.com/app/docs/doc/817-0573/6mgc65bb6?a=view
http://msdn.microsoft.com/en-us/library/ms900123.aspx
http://en.wikipedia.org/wiki/Forwarding_Information_Base#FIBs_in_Ingress_Filtering_against_Denial_of_Service
http://en.wikipedia.org/wiki/Reverse_path_forwarding
http://www.openbsd.org/faq/pf/filter.html#antispoof

Credit

Thanks to David Miles for reporting this vulnerability. Numerous vendors and others also provided technical information that was used in this report.

This document was written by Ryan Giobbi, Evan Wright, Chad Dougherty, and Art Manion.

Other Information

Date Public:2008-10-02
Date First Published:2008-10-02
Date Last Updated:2009-04-27
CERT Advisory: 
CVE-ID(s):CVE-2008-4404; CVE-2008-2476
NVD-ID(s):CVE-2008-4404 CVE-2008-2476
US-CERT Technical Alerts: 
Metric:2.70
Document Revision:99

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader