Vulnerability Note VU#472363
IPv6 implementations insecurely update Forwarding Information Base
A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded.
IPv6 networks use the Neighbor Discovery Protocol (NDP) to detect and locate routers and other on-link IPv6 nodes. NDP uses ICMPv6 types 133, 134, 135, and 136. Neighbor solicitation (type 135) messages are used by NDP to discover and determine the reachability of nearby IPv6 nodes. Nodes that can send each other NDP messages are considered to be on-link (as per RFC 4861).
After receiving a neighbor solicitation request from a system that is on-link and is using a spoofed IPv6 address as the source address, a router will create a neighbor cache entry. When this entry is made, some IPv6 implementations will create a Forwarding Information Base (FIB) entry. This FIB entry may cause the router to incorrectly forward traffic to the device that sent original spoofed neighbor solicitation request.
An attacker may be able to intercept private network traffic. Receiving the traffic may cause links to become congested or saturated due to the additional bandwidth. Administrators are encouraged to read RFC 3756 for more information about other possible vulnerabilities and impacts.
Consider the workarounds below and consult your vendor.
Block packets with illogical source addresses
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer, Inc.||Affected||30 Jul 2008||12 Mar 2009|
|Extreme Networks||Affected||30 Jul 2008||27 Apr 2009|
|Force10 Networks, Inc.||Affected||30 Jul 2008||30 Sep 2008|
|FreeBSD, Inc.||Affected||30 Jul 2008||02 Oct 2008|
|IBM Corporation (zseries)||Affected||30 Jul 2008||05 Aug 2008|
|Juniper Networks, Inc.||Affected||30 Jul 2008||02 Oct 2008|
|NetBSD||Affected||30 Jul 2008||29 Oct 2008|
|OpenBSD||Affected||30 Jul 2008||03 Oct 2008|
|Wind River Systems, Inc.||Affected||30 Jul 2008||03 Nov 2008|
|3com, Inc.||Not Affected||30 Jul 2008||29 Sep 2008|
|Cisco Systems, Inc.||Not Affected||30 Jul 2008||07 Nov 2008|
|Computer Associates||Not Affected||30 Jul 2008||02 Oct 2008|
|Computer Associates eTrust Security Management||Not Affected||30 Jul 2008||02 Oct 2008|
|D-Link Systems, Inc.||Not Affected||30 Jul 2008||29 Sep 2008|
|Debian GNU/Linux||Not Affected||30 Jul 2008||02 Oct 2008|
CVSS Metrics (Learn More)
Thanks to David Miles for reporting this vulnerability. Numerous vendors and others also provided technical information that was used in this report.
This document was written by Ryan Giobbi, Evan Wright, Chad Dougherty, and Art Manion.
- CVE IDs: CVE-2008-4404 CVE-2008-2476
- Date Public: 02 Oct 2008
- Date First Published: 02 Oct 2008
- Date Last Updated: 27 Apr 2009
- Severity Metric: 2.70
- Document Revision: 99
If you have feedback, comments, or additional information about this vulnerability, please send us email.