SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#986425

OpenBSD IPv6 kernel buffer overflow vulnerability

Overview

A vulnerability in the OpenBSD kernel could allow a remote attacker to execute arbitrary code on a vulnerable system or cause the system to crash.

I. Description

The OpenBSD kernel contains a flaw in its handling of kernel memory buffers when processing IPv6 packets. This flaw results in a memory corruption vulnerability that allows a remote attacker with the ability to send fragmented ICMPv6 packets to trigger an overflow of mbuf kernel memory structures. The original reporters of this vulnerability, Core Security Technologies, have published a detailed analysis of this vulnerability in CoreLabs Advisory CORE-2007-0219.

Systems connected to public IPv6 networks are particularly at risk from this vulnerability. However, since link-local addresses are part of the IPv6 specification and configured by default on Ethernet interfaces, even systems that have not been explicitly configured to use public IPv6 networks are vulnerable to attack from other systems on the same physical network or multicast network.

Note that we are aware of working, publicly available exploit code for this vulnerability.

II. Impact

A remote, unauthenticated attacker with the ability to supply a specially crafted fragmented IPv6 packet may be able to execute arbitrary code on a vulnerable system or cause the system to crash. The attacker-supplied code would be executed in the context of the kernel.

III. Solution

Apply a patch from the vendor


The OpenBSD development team has published patches to address this issue. Please see the System Affected section of this document for more information.

Note that a second revision of the patch was released after the initial publication of this document. Users should be sure to obtain this second revision of the patch.

Filter IPv6 packets

Sites, particularly those who are unable to apply the patch, are encouraged to filter IPv6 traffic to affected hosts. For the OpenBSD packet filter, pf(4), use "block in inet6" in /etc/pf.conf.

Systems Affected

VendorStatusDate NotifiedDate Updated
OpenBSDVulnerable21-Mar-2007

References


http://secunia.com/advisories/24490/
http://www.openbsd.org/errata40.html#m_dup1
http://www.openbsd.org/errata39.html#m_dup1
http://www.coresecurity.com/?action=item&id=1703
http://securitytracker.com/id?1017735
http://www.securityfocus.com/bid/22901
http://isc.sans.org/diary.html?storyid=2445
http://archives.neohapsis.com/archives/bugtraq/2007-03/0158.html
http://jvn.jp/cert/JVNVU%23986425/index.html

Credit

This vulnerability was discovered and researched by Alfredo Ortega from Core Security Technologies.

This document was written by Chad R Dougherty.

Other Information

Date Public:2007-03-12
Date First Published:2007-03-15
Date Last Updated:2007-05-03
CERT Advisory: 
CVE-ID(s):CVE-2007-1365
NVD-ID(s):CVE-2007-1365
US-CERT Technical Alerts: 
Metric:16.80
Document Revision:18

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2007 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader