Home / mailingsPDF  

FreeBSD Security Advisory FreeBSD-SA-15:09.ipv6

Posted on 07 April 2015
FreeBSD security notificat

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:09.ipv6 Security Advisory
The FreeBSD Project

Topic: Denial of Service with IPv6 Router Advertisements

Category: core
Module: ipv6
Announced: 2015-04-07
Credits: Dennis Ljungmark
Affects: All supported versions of FreeBSD.
Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE)
2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9)
2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE)
2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13)
2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE)
2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27)
CVE Name: CVE-2015-2923

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
address of other nodes, find routers, and maintain reachability information.
Routers advertise their presence together with various link and Internet
parameters either periodically, or in response to a Router Solicitation
message, using Router Advertisement (ICMPv6 type 134).

II. Problem Description

The Neighbor Discover Protocol allows a local router to advertise a
suggested Current Hop Limit value of a link, which will replace
Current Hop Limit on an interface connected to the link on the FreeBSD
system.

III. Impact

When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets
may get dropped before they reached their destinations.

By sending specifically crafted Router Advertisement packets, an attacker
on the local network can cause the FreeBSD system to lose the ability to
communicate with another IPv6 node on a different network.

IV. Workaround

Only systems that are manually configured to use "accept_rtadv"
ifconfig(8) flag on an interface are affected.

The system administrator may decide to disable acceptance of Router
Advertisements from untrusted network in a per-interface basis, by
removing accept_rtadv flag at run time using ifconfig(8):

ifconfig em0 inet6 -accept_rtadv

Note that an interface does not accept Router Advertisement messages
by default even if an IPv6 address is configured. One can know
whether an interface is accepting Router Advertisement message or not
from existence of ACCEPT_RTADV in "nd6 options" line in an output of
ifconfig(8):

nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch
# fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc
# gpg --verify ipv6.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path Revision
- -------------------------------------------------------------------------
stable/8/ r281231
releng/8.4/ r281233
stable/9/ r281231
releng/9.3/ r281233
stable/10/ r281230
releng/10.1/ r281232
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2923>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:09.ipv6.asc>

 

TOP