10 - VU#472363

Executive Summary

Summary
Title	IPv6 implementations insecurely update Forwarding Information Base

Informations
Name	VU#472363	First vendor Publication	2008-10-02
Vendor	VU-CERT	Last vendor Modification	2009-01-12
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#472363

IPv6 implementations insecurely update Forwarding Information Base

Overview

A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded.

I. Description

IPv6 networks use the Neighbor Discovery Protocol (NDP) to detect and locate routers and other on-link IPv6 nodes. NDP uses ICMPv6 types 133, 134, 135, and 136. Neighbor solicitation (type 135) messages are used by NDP to discover and determine the reachability of nearby IPv6 nodes. Nodes that can send each other NDP messages are considered to be on-link (as per RFC 4861).

After receiving a neighbor solicitation request from a system that is on-link and is using a spoofed IPv6 address as the source address, a router will create a neighbor cache entry. When this entry is made, some IPv6 implementations will create a Forwarding Information Base (FIB) entry. This FIB entry may cause the router to incorrectly forward traffic to the device that sent original spoofed neighbor solicitation request.

Note that an attacker must have IPv6 connectivity to the same router as their target for this vulnerability to be exploited. Although this vulnerability has only a local attack vector (NDP messages are not forwarded by routers), flat IPv6 networks can include many hosts and may cover large geographical distances as compared to IPv4 networks.

Similar problems to this issue have been discussed in RFC 3756"IPv6 Neighbor Discovery (ND) Trust Models and Threats."

II. Impact

An attacker may be able to intercept private network traffic. Receiving the traffic may cause links to become congested or saturated due to the additional bandwidth. Administrators are encouraged to read RFC 3756 for more information about other possible vulnerabilities and impacts.

III. Solution

Consider the workarounds below and consult your vendor.

Block packets with illogical source addresses

Blocking traffic that originates from unlikely or illogical source addresses (such as addresses which are not on-link or logically part of a network assigned to an interface, such as the antispoof keyword in pf) will protect against this vulnerability. This workaround may cause unintended side-effects such as breaking some non-typical configurations. Vendors may also implement this workaround as a fix.

Use application layer encryption

Applications that use secure authentication and encryption such as https, ssh, and ipsec can mitigate this vulnerability by preventing an attacker from intercepting or parsing any data that received. Note that an attacker will probably still be able to blackhole IP addresses resulting in a local denial of service regardless of the authentication or encryption methods used. As noted in RFC 3971, it is non-trivial to use ipsec to protect the integrity of NDP messages.

Design and deploy segmented networks

In a single IPv6 prefix there are certain trust asumptions and if the same IP range is shared all clients will be considered on-link. Segmenting networks will reduce the likelihood of this and similar vulnerabilities from being exploited. Networks can be segmented by assigning unique prefixes to individual router interfaces or by using VLANs.

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Not Vulnerable	2008-07-30	2008-09-29
ACCESS	Unknown	2008-07-30	2008-07-30
Alcatel-Lucent	Unknown	2008-07-30	2008-07-30
Apple Computer, Inc.	Unknown	2008-07-30	2008-07-30
AT&T	Unknown	2008-07-30	2008-07-30
Avaya, Inc.	Unknown	2008-07-30	2008-07-30
Barracuda Networks	Unknown	2008-09-18	2008-09-18
Belkin, Inc.	Unknown	2008-07-30	2008-07-30
Borderware Technologies	Unknown	2008-07-30	2008-07-30
Bro	Unknown	2008-07-30	2008-07-30
Charlotte's Web Networks	Unknown	2008-07-30	2008-07-30
Check Point Software Technologies	Unknown	2008-07-30	2008-07-30
CIAC	Unknown	2008-07-30	2008-07-30
Cisco Systems, Inc.	Not Vulnerable	2008-07-30	2008-11-07
Clavister	Unknown	2008-07-30	2008-07-30
Computer Associates	Not Vulnerable	2008-07-30	2008-10-02
Computer Associates eTrust Security Management	Not Vulnerable	2008-07-30	2008-10-02
Conectiva Inc.	Unknown	2008-07-30	2008-07-30
Cray Inc.	Unknown	2008-07-30	2008-07-30
D-Link Systems, Inc.	Not Vulnerable	2008-07-30	2008-09-29
Data Connection, Ltd.	Unknown	2008-07-30	2008-07-30
Debian GNU/Linux	Not Vulnerable	2008-07-30	2008-10-02
DragonFly BSD Project	Unknown	2008-07-30	2008-07-30
EMC Corporation	Unknown	2008-07-30	2008-07-30
Engarde Secure Linux	Unknown	2008-07-30	2008-07-30
Enterasys Networks	Not Vulnerable	2008-07-30	2008-09-26
Ericsson	Unknown	2008-07-30	2008-07-30
eSoft, Inc.	Unknown	2008-07-30	2008-07-30
Extreme Networks	Unknown	2008-07-30	2008-07-30
F5 Networks, Inc.	Not Vulnerable	2008-07-30	2008-09-18
Fedora Project	Unknown	2008-07-30	2008-07-30
Force10 Networks, Inc.	Vulnerable	2008-07-30	2008-09-30
Fortinet, Inc.	Unknown	2008-07-30	2008-07-30
Foundry Networks, Inc.	Not Vulnerable	2008-07-30	2008-10-02
FreeBSD, Inc.	Vulnerable	2008-07-30	2008-10-02
Fujitsu	Unknown	2008-07-30	2008-07-30
Gentoo Linux	Unknown	2008-07-30	2008-07-30
Global Technology Associates	Unknown	2008-07-30	2008-07-30
Google	Unknown	2008-08-22	2008-08-22
Guidance Software, Inc.	Unknown	2008-08-22	2008-08-22
Hewlett-Packard Company	Unknown	2008-07-30	2008-07-30
Hitachi	Unknown	2008-07-30	2008-07-30
Hyperchip	Unknown	2008-07-30	2008-07-30
IBM Corporation	Unknown	2008-07-30	2008-07-30
IBM Corporation (zseries)	Vulnerable	2008-07-30	2008-08-05
IBM eServer	Unknown	2008-07-30	2008-07-30
Ingrian Networks, Inc.	Unknown	2008-07-30	2008-07-30
Intel Corporation	Unknown	2008-09-18	2008-09-18
Internet Security Systems, Inc.	Unknown	2008-07-30	2008-07-30
Intoto	Unknown	2008-07-30	2008-07-30
IP Filter	Unknown	2008-07-30	2008-07-30
IP Infusion, Inc.	Unknown	2008-07-30	2008-07-30
Juniper Networks, Inc.	Vulnerable	2008-07-30	2008-10-02
Linux Kernel Archives	Unknown	2008-08-22	2008-08-22
Luminous Networks	Unknown	2008-07-30	2008-07-30
m0n0wall	Not Vulnerable	2008-07-30	2008-08-05
Mandriva, Inc.	Unknown	2008-07-30	2008-07-30
McAfee	Not Vulnerable	2008-07-30	2008-09-18
Microsoft Corporation	Not Vulnerable	2008-07-30	2008-10-01
Miredo	Unknown	2008-08-04	2008-08-04
MontaVista Software, Inc.	Unknown	2008-07-30	2008-07-30
Multitech, Inc.	Unknown	2008-07-30	2008-07-30
NEC Corporation	Unknown	2008-07-30	2008-07-30
NetApp	Unknown	2008-07-30	2008-07-30
NetBSD	Vulnerable	2008-07-30	2008-10-29
netfilter	Unknown	2008-07-30	2008-07-30
NextHop Technologies, Inc.	Unknown	2008-07-30	2008-07-30
Nokia	Unknown	2008-07-30	2008-07-30
Nortel Networks, Inc.	Unknown	2008-07-30	2008-07-30
Novell, Inc.	Unknown	2008-07-30	2008-07-30
OpenBSD	Vulnerable	2008-07-30	2008-10-03
Openwall GNU/*/Linux	Not Vulnerable	2008-07-30	2008-08-13
PePLink	Not Vulnerable	2008-07-30	2008-09-19
Process Software	Unknown	2008-07-30	2008-07-30
Q1 Labs	Not Vulnerable	2008-07-30	2008-08-04
QNX, Software Systems, Inc.	Unknown	2008-07-30	2008-07-30
Quagga	Not Vulnerable	2008-07-30	2008-07-31
RadWare, Inc.	Not Vulnerable	2008-07-30	2008-07-31
Red Hat, Inc.	Not Vulnerable	2008-07-30	2008-07-31
Redback Networks, Inc.	Not Vulnerable	2008-07-30	2008-09-29
Secure Computing Network Security Division	Unknown	2008-07-30	2008-07-30
Secureworx, Inc.	Unknown	2008-07-30	2008-07-30
Silicon Graphics, Inc.	Unknown	2008-07-30	2008-07-30
Slackware Linux Inc.	Unknown	2008-07-30	2008-07-30
SmoothWall	Not Vulnerable	2008-07-30	2008-09-19
Snort	Unknown	2008-07-30	2008-07-30
Soapstone Networks	Unknown	2008-07-30	2008-07-30
Sony Corporation	Unknown	2008-07-30	2008-07-30
Sourcefire	Unknown	2008-07-30	2008-07-30
Stonesoft	Unknown	2008-07-30	2008-07-30
Sun Microsystems, Inc.	Not Vulnerable	2008-07-30	2008-07-31
SUSE Linux	Not Vulnerable	2008-07-30	2008-10-07
Symantec, Inc.	Unknown	2008-07-30	2008-07-30
The SCO Group	Unknown	2008-07-30	2008-07-30
TippingPoint, Technologies, Inc.	Not Vulnerable	2008-07-30	2008-09-29
Turbolinux	Unknown	2008-07-30	2008-07-30
U4EA Technologies, Inc.	Unknown	2008-09-18	2008-09-18
Ubuntu	Unknown	2008-07-30	2008-07-30
Unisys	Unknown	2008-07-30	2008-07-30
Vyatta	Unknown	2008-07-30	2008-07-30
Watchguard Technologies, Inc.	Unknown	2008-07-30	2008-07-30
Wind River Systems, Inc.	Vulnerable	2008-07-30	2008-11-03
ZyXEL	Unknown	2008-07-30	2008-10-02

References

http://tools.ietf.org/html/rfc4861
http://tools.ietf.org/html/rfc4861#section-2.1
http://www.ietf.org/rfc/rfc2461.txt
http://www.ietf.org/rfc/rfc3756.txt
http://www.ietf.org/rfc/rfc3177.txt
http://tools.ietf.org/html/rfc3971
http://docs.sun.com/app/docs/doc/817-0573/6mgc65bb6?a=view
http://msdn.microsoft.com/en-us/library/ms900123.aspx
http://en.wikipedia.org/wiki/Forwarding_Information_Base#FIBs_in_Ingress_Filtering_against_Denial_of_Service
http://en.wikipedia.org/wiki/Reverse_path_forwarding
http://www.openbsd.org/faq/pf/filter.html#antispoof

Credit

Thanks to David Miles for reporting this vulnerability. Numerous vendors and others also provided technical information that was used in this report.

This document was written by Ryan Giobbi, Evan Wright, Chad Dougherty, and Art Manion.

Other Information

Date Public:	2008-10-02
Date First Published:	2008-10-02
Date Last Updated:	2009-01-12
CERT Advisory:
CVE-ID(s):	CVE-2008-4404; CVE-2008-2476
NVD-ID(s):	CVE-2008-4404 CVE-2008-2476
US-CERT Technical Alerts:
Metric:	2.70
Document Revision:	95

Original Source

Url : http://www.kb.cert.org/vuls/id/472363

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-20	Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:5670

Oval ID:	oval:org.mitre.oval:def:5670
Title:	HP-UX Running IPv6, Remote Denial of Service (DoS) and Unauthorized Access
Description:	The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB).
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-2476	Version:	9
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
Criteria meets HP Security Bulletin HPSBUX02407 HP Release B.11.23 AND filesets tests OS-Core.SYS2-ADMIN is installed AND Networking.NMS2-KRN is installed AND Networking.NET-RUN-64 is installed AND OS-Core.CORE2-KRN is installed AND Networking.NET-PRG is installed AND Networking.NET-RUN is installed AND ProgSupport.C-INC is installed AND Networking.NET2-KRN is installed AND Networking.NET2-RUN is installed AND NOT Patch PHNE_37897 is installed OR Criteria meets HP Security Bulletin HPSBUX02407 HP Release B.11.11 AND filesets tests Networking.NMS2-KRN is installed AND Networking.NET-RUN-64 is installed AND OS-Core.CORE2-KRN is installed AND Networking.NET-PRG is installed AND Networking.NET-RUN is installed AND ProgSupport.C-INC is installed AND Networking.NET2-KRN is installed AND OS-Core.SYS-ADMIN is installed AND Networking.NET-KRN is installed AND OS-Core.CORE-KRN is installed AND NOT Patch PHNE_37898 is installed OR Criteria meets HP Security Bulletin HPSBUX02407 HP-UX B.11.31 AND filesets tests OS-Core.SYS2-ADMIN is installed AND Networking.NMS2-KRN is installed AND Networking.NET-RUN-64 is installed AND OS-Core.CORE2-KRN is installed AND Networking.NET-RUN is installed AND ProgSupport.C-INC is installed AND Networking.NET2-KRN is installed AND Networking.NET2-RUN is installed AND NOT Patch PHNE_38680 is installed

CPE : Common Platform Enumeration

Type	Description	Count
Os	force10 Ftos cpe:2.3:o:force10:ftos::::::::	1
Os	Freebsd cpe:2.3:o:freebsd:freebsd:7.1:-:::::: cpe:2.3:o:freebsd:freebsd:6.3:-::::::	2
Os	Ibm Zseries cpe:2.3:o:ibm:zseries::::::::	1
Os	Juniper Jnos cpe:2.3:o:juniper:jnos::::::::	1
Os	Netbsd cpe:2.3:o:netbsd:netbsd::::::::	1
Os	Openbsd cpe:2.3:o:openbsd:openbsd:4.3:::::::* cpe:2.3:o:openbsd:openbsd:4.2:::::::*	2
Os	Windriver Vxworks cpe:2.3:o:windriver:vxworks:6.4:::::::* cpe:2.3:o:windriver:vxworks:6:::::::* cpe:2.3:o:windriver:vxworks:5.5:::::::* cpe:2.3:o:windriver:vxworks:5:::::::* cpe:2.3:o:windriver:vxworks::::::::	5

OpenVAS Exploits

Date	Description
2009-05-05	Name : HP-UX Update for IPv6 HPSBUX02407 File : nvt/gb_hp_ux_HPSBUX02407.nasl
2008-10-03	Name : FreeBSD Security Advisory (FreeBSD-SA-08:10.nd6.asc) File : nvt/freebsdsa_nd6.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
52494	Apple Multiple Products IPv6 Neighbor Discovery Protocol Neighbor Solicitatio...
49407	NetBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation Spoofing
48991	IBM zSeries IPv6 Neighbor Discovery Protocol Neighbor Solicitation Spoofing
48989	Juniper Multiple Products IPv6 Neighbor Discovery Protocol Neighbor Solicitat...
48745	Force10 FTOS Routers IPv6 Neighbor Discovery Protocol Neighbor Solicitation S...
48744	OpenBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation Spoofing
48702	FreeBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation Spoofing

Information Assurance Vulnerability Management (IAVM)

Date	Description
2008-10-09	IAVM : 2008-B-0070 - Multiple Vendors IPv6 Neighbor Discovery Protocol Spoofing Vulnerability Severity : Category II - VMSKEY : V0017557

Nessus® Vulnerability Scanner

Date	Description
2016-01-28	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL9528.nasl - Type : ACT_GATHER_INFO
2009-02-12	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_37897.nasl - Type : ACT_GATHER_INFO
2009-02-12	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_37898.nasl - Type : ACT_GATHER_INFO
2009-02-12	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHNE_38680.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2016-01-29 13:26:20	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	1
CPE ID(s)	13
osvdb(s)	7
Openvas Exploit(s)	2
IAVM(s)	1
Nessus® Exploit(s)	4

	Related
10	CVE-2008-4404
9.3	CVE-2008-2476
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)