7.8 - VU#267289

Executive Summary

Summary
Title	IPv6 Type 0 Route Headers allow sender to control routing

Informations
Name	VU#267289	First vendor Publication	2007-06-01
Vendor	VU-CERT	Last vendor Modification	2007-06-26
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score	7.8	Attack Range	Network
Cvss Impact Score	6.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#267289

IPv6 Type 0 Route Headers allow sender to control routing

Overview

IPv6 Type 0 Route Headers allow the sender to control packet routing. This vulnerability may allow an attacker to cause a denial-of-service condition.

I. Description

Routing header options provided by IPv6 allow packet senders to indicate specific nodes through which the packet should travel. Note that a node is defined as any device that implements IPv6, which includes hosts as well as routing devices. According to FreeBSD-SA-07:03.ipv6:

An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts.

An attacker can use vulnerable hosts to "concentrate" a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less.

II. Impact

This condition can facilitate a number of different impacts including packet amplification, bypassing filtering devices, denial of service, and defeating IPv6 Anycast.

III. Solution

Update

See the systems affected portion of this document for information about updates for specific vendors.

Systems Affected

Vendor	Status	Date Updated
3com, Inc.	Unknown	9-May-2007
Alcatel	Unknown	9-May-2007
Apple Computer, Inc.	Vulnerable	21-Jun-2007
AT&T	Unknown	9-May-2007
Avaya, Inc.	Unknown	9-May-2007
Avici Systems, Inc.	Unknown	9-May-2007
Borderware Technologies	Unknown	9-May-2007
Charlotte's Web Networks	Unknown	9-May-2007
Check Point Software Technologies	Unknown	9-May-2007
Chiaro Networks, Inc.	Unknown	9-May-2007
Cisco Systems, Inc.	Vulnerable	15-May-2007
Clavister	Unknown	9-May-2007
Computer Associates	Unknown	9-May-2007
Cray Inc.	Unknown	9-May-2007
D-Link Systems, Inc.	Unknown	9-May-2007
Data Connection, Ltd.	Unknown	9-May-2007
EMC, Inc. (formerly Data General Corporation)	Unknown	9-May-2007
Ericsson	Unknown	9-May-2007
eSoft, Inc.	Unknown	9-May-2007
Extreme Networks	Unknown	9-May-2007
F5 Networks, Inc.	Unknown	9-May-2007
Force10 Networks, Inc.	Unknown	9-May-2007
Fortinet, Inc.	Unknown	9-May-2007
Foundry Networks, Inc.	Unknown	9-May-2007
FreeBSD, Inc.	Vulnerable	14-May-2007
Fujitsu	Vulnerable	15-Jun-2007
Global Technology Associates	Unknown	9-May-2007
Hewlett-Packard Company	Unknown	9-May-2007
Hitachi	Vulnerable	14-May-2007
Hyperchip	Unknown	9-May-2007
IBM Corporation	Unknown	9-May-2007
IBM Corporation (zseries)	Unknown	9-May-2007
IBM eServer	Unknown	9-May-2007
Ingrian Networks, Inc.	Unknown	9-May-2007
Intel Corporation	Unknown	9-May-2007
Internet Initiative Japan	Vulnerable	14-May-2007
Internet Security Systems, Inc.	Unknown	9-May-2007
Intoto	Unknown	9-May-2007
IP Filter	Unknown	9-May-2007
Juniper Networks, Inc.	Unknown	9-May-2007
Linksys (A division of Cisco Systems)	Unknown	9-May-2007
Lucent Technologies	Unknown	9-May-2007
Luminous Networks	Unknown	9-May-2007
Microsoft Corporation	Unknown	9-May-2007
MontaVista Software, Inc.	Unknown	9-May-2007
Multinet (owned Process Software Corporation)	Unknown	9-May-2007
Multitech, Inc.	Unknown	9-May-2007
NEC Corporation	Vulnerable	15-Jun-2007
NetBSD	Unknown	9-May-2007
netfilter	Unknown	9-May-2007
Network Appliance, Inc.	Unknown	9-May-2007
NextHop Technologies, Inc.	Unknown	9-May-2007
Nokia	Unknown	9-May-2007
Nortel Networks, Inc.	Unknown	9-May-2007
Novell, Inc.	Not Vulnerable	17-May-2007
OpenBSD	Vulnerable	14-May-2007
QNX, Software Systems, Inc.	Unknown	9-May-2007
Red Hat, Inc.	Vulnerable	17-May-2007
Redback Networks, Inc.	Unknown	9-May-2007
Riverstone Networks, Inc.	Unknown	9-May-2007
rPath	Vulnerable	21-Jun-2007
Secure Computing Network Security Division	Vulnerable	15-Jun-2007
Secureworx, Inc.	Unknown	9-May-2007
Silicon Graphics, Inc.	Unknown	9-May-2007
Sony Corporation	Unknown	9-May-2007
Stonesoft	Unknown	9-May-2007
Sun Microsystems, Inc.	Vulnerable	17-May-2007
Symantec, Inc.	Unknown	9-May-2007
The SCO Group	Unknown	9-May-2007
Unisys	Unknown	9-May-2007
Watchguard Technologies, Inc.	Unknown	9-May-2007
Wind River Systems, Inc.	Unknown	9-May-2007
ZyXEL	Unknown	9-May-2007

References

http://secunia.com/advisories/24978/
http://openbsd.org/errata40.html#012_route6
http://secunia.com/advisories/25033/
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
http://secunia.com/advisories/25068/
http://www.ietf.org/rfc/rfc2460.txt
http://docs.info.apple.com/article.html?artnum=305712
http://secunia.com/advisories/25770/

Credit

This vulnerability was reported by Philippe Biondi Arnaud Ebalard of EADS Innovation Works — IW/SE/CS, IT Sec lab, Suresnes, France at CanSecWest 2007.

This document was written by Chris Taschner.

Other Information

Date Public	04/24/2007
Date First Published	06/13/2007 02:13:21 PM
Date Last Updated	06/26/2007
CERT Advisory
CVE Name	CVE-2007-2242
Metric	11.03
Document Revision	33

Original Source

Url : http://www.kb.cert.org/vuls/id/267289

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22576

Oval ID:	oval:org.mitre.oval:def:22576
Title:	ELSA-2007:0347: kernel security and bug fix update (Important)
Description:	The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.
Family:	unix	Class:	patch
Reference(s):	ELSA-2007:0347-01 CVE-2007-1496 CVE-2007-1497 CVE-2007-1592 CVE-2007-1861 CVE-2007-2172 CVE-2007-2242	Version:	29
Platform(s):	Oracle Linux 5	Product(s):	kernel
Definition Synopsis:
Oracle Linux 5.x rpm test kernel-headers is earlier than 0:2.6.18-8.1.4.el5 AND kernel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-doc is earlier than 0:2.6.18-8.1.4.el5 AND kernel-PAE-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-kdump is earlier than 0:2.6.18-8.1.4.el5 AND kernel-xen-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-PAE is earlier than 0:2.6.18-8.1.4.el5 AND kernel-kdump-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-xen is earlier than 0:2.6.18-8.1.4.el5

Definition Id: oval:org.mitre.oval:def:9574

Oval ID:	oval:org.mitre.oval:def:9574
Title:	The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.
Description:	The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-2242	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section kernel-kdump is earlier than 0:2.6.18-8.1.4.el5 AND kernel-xen is earlier than 0:2.6.18-8.1.4.el5 AND kernel-headers is earlier than 0:2.6.18-8.1.4.el5 AND kernel-kdump-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-xen-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-PAE-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-devel is earlier than 0:2.6.18-8.1.4.el5 AND kernel-PAE is earlier than 0:2.6.18-8.1.4.el5 AND kernel-doc is earlier than 0:2.6.18-8.1.4.el5 AND kernel-debuginfo-common is earlier than 0:2.6.18-8.1.4.el5

CPE : Common Platform Enumeration

Type	Description	Count
Application	Ietf ipv6 cpe:2.3:a:ietf:ipv6::::::::	1

OpenVAS Exploits

Date	Description
2009-11-17	Name : Mac OS X Version File : nvt/macosx_version.nasl
2009-04-09	Name : Mandriva Update for kernel MDKSA-2007:171 (kernel) File : nvt/gb_mandriva_MDKSA_2007_171.nasl
2009-03-23	Name : Ubuntu Update for linux-source-2.6.17 vulnerabilities USN-486-1 File : nvt/gb_ubuntu_USN_486_1.nasl
2009-03-23	Name : Ubuntu Update for linux-source-2.6.15 vulnerabilities USN-508-1 File : nvt/gb_ubuntu_USN_508_1.nasl
2009-02-27	Name : Fedora Update for kernel FEDORA-2007-482 File : nvt/gb_fedora_2007_482_kernel_fc6.nasl
2009-02-27	Name : Fedora Update for kernel FEDORA-2007-483 File : nvt/gb_fedora_2007_483_kernel_fc5.nasl
2009-01-28	Name : SuSE Update for kernel SUSE-SA:2007:051 File : nvt/gb_suse_2007_051.nasl
2008-09-04	Name : FreeBSD Security Advisory (FreeBSD-SA-07:03.ipv6.asc) File : nvt/freebsdsa_ipv61.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
35303	Multiple OS IPv6 Type 0 Route Headers DoS

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0347.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070516_kernel_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-05-17	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_kernel-4186.nasl - Type : ACT_GATHER_INFO
2010-01-06	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0347.nasl - Type : ACT_GATHER_INFO
2008-02-01	Name : The remote openSUSE host is missing a security update. File : suse_kernel-4929.nasl - Type : ACT_GATHER_INFO
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_kernel-4185.nasl - Type : ACT_GATHER_INFO
2007-11-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-486-1.nasl - Type : ACT_GATHER_INFO
2007-11-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-508-1.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_kernel-3760.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote SuSE system is missing the security patch kernel-4193. File : suse_kernel-4193.nasl - Type : ACT_GATHER_INFO
2007-09-03	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-171.nasl - Type : ACT_GATHER_INFO
2007-06-21	Name : The remote host is missing a Mac OS X update which fixes a security issue. File : macosx_10_4_10.nasl - Type : ACT_GATHER_INFO
2007-05-25	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0347.nasl - Type : ACT_GATHER_INFO
2007-05-02	Name : The remote Fedora Core host is missing a security update. File : fedora_2007-482.nasl - Type : ACT_GATHER_INFO
2007-05-02	Name : The remote Fedora Core host is missing a security update. File : fedora_2007-483.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
Oval ID(s)	2
CPE ID(s)	1
osvdb(s)	1
Openvas Exploit(s)	8
Nessus® Exploit(s)	15

	Related
10	VU#257161
7.8	CVE-2007-2242
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)