search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IPv6 implementations insecurely update Forwarding Information Base

Vulnerability Note VU#472363

Original Release Date: 2008-10-02 | Last Revised: 2009-04-27

Overview

A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded.

Description

IPv6 networks use the Neighbor Discovery Protocol (NDP) to detect and locate routers and other on-link IPv6 nodes. NDP uses ICMPv6 types 133, 134, 135, and 136. Neighbor solicitation (type 135) messages are used by NDP to discover and determine the reachability of nearby IPv6 nodes. Nodes that can send each other NDP messages are considered to be on-link (as per RFC 4861).

After receiving a neighbor solicitation request from a system that is on-link and is using a spoofed IPv6 address as the source address, a router will create a neighbor cache entry. When this entry is made, some IPv6 implementations will create a Forwarding Information Base (FIB) entry. This FIB entry may cause the router to incorrectly forward traffic to the device that sent original spoofed neighbor solicitation request.

Note that an attacker must have IPv6 connectivity to the same router as their target for this vulnerability to be exploited. Although this vulnerability has only a local attack vector (NDP messages are not forwarded by routers), flat IPv6 networks can include many hosts and may cover large geographical distances as compared to IPv4 networks.

Similar problems to this issue have been discussed in RFC 3756 "IPv6 Neighbor Discovery (ND) Trust Models and Threats."

Impact

An attacker may be able to intercept private network traffic. Receiving the traffic may cause links to become congested or saturated due to the additional bandwidth. Administrators are encouraged to read RFC 3756 for more information about other possible vulnerabilities and impacts.

Solution

Consider the workarounds below and consult your vendor.

Block packets with illogical source addresses

Blocking traffic that originates from unlikely or illogical source addresses (such as addresses which are not on-link or logically part of a network assigned to an interface, such as the antispoof keyword in pf) will protect against this vulnerability. This workaround may cause unintended side-effects such as breaking some non-typical configurations. Vendors may also implement this workaround as a fix.

Use application layer encryption

Applications that use secure authentication and encryption such as https, ssh, and ipsec can mitigate this vulnerability by preventing an attacker from intercepting or parsing any data that received. Note that an attacker will probably still be able to blackhole IP addresses resulting in a local denial of service regardless of the authentication or encryption methods used. As noted in RFC 3971, it is non-trivial to use ipsec to protect the integrity of NDP messages.

Design and deploy segmented networks

In a single IPv6 prefix there are certain trust asumptions and if the same IP range is shared all clients will be considered on-link. Segmenting networks will reduce the likelihood of this and similar vulnerabilities from being exploited. Networks can be segmented by assigning unique prefixes to individual router interfaces or by using VLANs.

Vendor Information

472363
 
Affected   Unknown   Unaffected

Apple Computer, Inc.

Notified:  July 30, 2008 Updated:  March 12, 2009

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://support.apple.com/kb/HT3467 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Notified:  July 30, 2008 Updated:  April 27, 2009

Statement Date:   April 24, 2009

Status

  Vulnerable

Vendor Statement

IPv6 enabled Extreme Networks products running EXOS software are affected by this vulnerability.

This issue is being tracked by PD4-693410691 for Extreme Networks products running EXOS software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Force10 Networks, Inc.

Notified:  July 30, 2008 Updated:  September 30, 2008

Statement Date:   July 31, 2008

Status

  Vulnerable

Vendor Statement

Vendor Information

IPv6 enabled Force10 routers running FTOS, are affected by this vulnerability. The issue has been identified and fixed in our release E7.7.1.1 and all future releases. For a detail of description, impact, workaround and available fix, please visit our website at https://www.force10networks.com/csportal20/KnowledgeBase/FieldAlerts.aspx to view the complete text of the Field Alert.

FreeBSD, Inc.

Notified:  July 30, 2008 Updated:  October 02, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The FreeBSD Security Team has released the FreeBSD Security Advisory FreeBSD-SA-08:10.nd6 response to this issue.

Addendum

See http://security.freebsd.org/patches/SA-08:10/nd6-7.patch for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation (zseries)

Notified:  July 30, 2008 Updated:  August 05, 2008

Statement Date:   July 30, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  July 30, 2008 Updated:  October 02, 2008

Statement Date:   October 02, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Juniper has posted a Security Bulletin about this issue addressing the security issues identified by VU#472363.

More information is available to registered customers at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-09-036&viewMode=view

NetBSD

Notified:  July 30, 2008 Updated:  October 29, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

See ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-013.txt.asc/ for more information.

OpenBSD

Notified:  July 30, 2008 Updated:  October 03, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://openbsd.org/errata43.html#006_ndp for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc.

Notified:  July 30, 2008 Updated:  November 03, 2008

Statement Date:   October 31, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Wind River has analyzed VU#472363, and determined that VxWorks versions 6.5 and higher are not affected. However, VxWorks versions 5.x through 6.4 are affected. Register users can access Wind River's online support for patches, and more in formation by following this link:

https://portal.windriver.com/cgi-bin/windsurf/downloads/view_binary.cgi?binaryid=118544

Or contact Wind River technical support for more information:
http://windriver.com/support/

3com, Inc.

Notified:  July 30, 2008 Updated:  September 29, 2008

Statement Date:   September 26, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc.

Notified:  July 30, 2008 Updated:  November 07, 2008

Status

  Not Vulnerable

Vendor Statement

This is to confirm that no Cisco products are affected by the vulnerability described in Vulnerability Note VU#472363 titled: "IPv6 implementations insecurely update Forward Information Base".

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Computer Associates

Notified:  July 30, 2008 Updated:  October 02, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Computer Associates eTrust Security Management

Notified:  July 30, 2008 Updated:  October 02, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

D-Link Systems, Inc.

Notified:  July 30, 2008 Updated:  September 29, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux

Notified:  July 30, 2008 Updated:  October 02, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Enterasys Networks

Notified:  July 30, 2008 Updated:  September 26, 2008

Statement Date:   September 25, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Enterasys has researched CERT VU#472363 and concluded that none of the current Enterasys products are vulnerable. To ensure the highest level of security and as an extra precaution, Enterasys recommends being proactive by following network security and product configuration best practices.

F5 Networks, Inc.

Notified:  July 30, 2008 Updated:  September 18, 2008

Statement Date:   September 18, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc.

Notified:  July 30, 2008 Updated:  October 02, 2008

Statement Date:   October 01, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

McAfee

Notified:  July 30, 2008 Updated:  September 18, 2008

Statement Date:   September 18, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  July 30, 2008 Updated:  October 01, 2008

Status

  Not Vulnerable

Vendor Statement

After investigating this report, we determined this issue does not directly affect any Microsoft products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  July 30, 2008 Updated:  August 13, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Openwall GNU/*/Linux does not officially support IPv6. We do not have IPv6 support enabled in our kernels by default (nor can the corresponding kernel module possibly get auto-loaded, which would be a concern on some other Linux systems - we also do not support module auto-loading). While it is probably possible to configure an Openwall GNU/*/Linux system with a custom kernel build such that it would be vulnerable, anyone doing so is acting on his/her own.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PePLink

Notified:  July 30, 2008 Updated:  September 19, 2008

Statement Date:   September 19, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Q1 Labs

Notified:  July 30, 2008 Updated:  August 04, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga

Notified:  July 30, 2008 Updated:  July 31, 2008

Statement Date:   July 30, 2008

Status

  Not Vulnerable

Vendor Statement

Quagga is not impacted.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RadWare, Inc.

Notified:  July 30, 2008 Updated:  July 31, 2008

Statement Date:   July 31, 2008

Status

  Not Vulnerable

Vendor Statement

We are not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc.

Notified:  July 30, 2008 Updated:  July 31, 2008

Statement Date:   July 31, 2008

Status

  Not Vulnerable

Vendor Statement

We would like to inform you that Red Hat Enterprise Linux is not affected by
this vulnerability as we never had any code that added routes in response to
ndisc solicitations.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc.

Notified:  July 30, 2008 Updated:  September 29, 2008

Statement Date:   September 26, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  July 30, 2008 Updated:  October 07, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

To the best of our knowledge Linux and therefore SUSE Linux based products are not affected by this problem.

SmoothWall

Notified:  July 30, 2008 Updated:  September 19, 2008

Statement Date:   September 19, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  July 30, 2008 Updated:  July 31, 2008

Statement Date:   July 30, 2008

Status

  Not Vulnerable

Vendor Statement

Solaris IPv6 implementation is not vulnerable to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TippingPoint, Technologies, Inc.

Notified:  July 30, 2008 Updated:  September 29, 2008

Statement Date:   September 26, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

m0n0wall

Notified:  July 30, 2008 Updated:  August 05, 2008

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Barracuda Networks

Notified:  September 18, 2008 Updated:  September 18, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Borderware Technologies

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Bro

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CIAC

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Clavister

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Data Connection, Ltd.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Notified:  August 22, 2008 Updated:  August 22, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Guidance Software, Inc.

Notified:  August 22, 2008 Updated:  August 22, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hyperchip

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Filter

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Infusion, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation

Notified:  September 18, 2008 Updated:  September 18, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Security Systems, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intoto

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linux Kernel Archives

Notified:  August 22, 2008 Updated:  August 22, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Miredo

Notified:  August 04, 2008 Updated:  August 04, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetApp

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NextHop Technologies, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Process Software

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure Computing Network Security Division

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secureworx, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Snort

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Soapstone Networks

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sourcefire

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Stonesoft

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

U4EA Technologies, Inc.

Notified:  September 18, 2008 Updated:  September 18, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vyatta

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL

Notified:  July 30, 2008 Updated:  October 02, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

eSoft, Inc.

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netfilter

Notified:  July 30, 2008 Updated:  July 30, 2008

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 103 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to David Miles for reporting this vulnerability. Numerous vendors and others also provided technical information that was used in this report.

This document was written by Ryan Giobbi, Evan Wright, Chad Dougherty, and Art Manion.

Other Information

CVE IDs: CVE-2008-4404, CVE-2008-2476
Severity Metric: 2.70
Date Public: 2008-10-02
Date First Published: 2008-10-02
Date Last Updated: 2009-04-27 12:04 UTC
Document Revision: 99

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.