From owner-freebsd-security@FreeBSD.ORG Thu Apr 26 23:49:48 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7B8FE16A406; Thu, 26 Apr 2007 23:49:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 6117413C45E; Thu, 26 Apr 2007 23:49:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3QNnmgt085352; Thu, 26 Apr 2007 23:49:48 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3QNnmro085350; Thu, 26 Apr 2007 23:49:48 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 26 Apr 2007 23:49:48 GMT Message-Id: <200704262349.l3QNnmro085350@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 23:49:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:03.ipv6 Security Advisory The FreeBSD Project Topic: IPv6 Routing Header 0 is dangerous Category: core Module: ipv6 Announced: 2007-04-26 Credits: Philippe Biondi, Arnaud Ebalard, Jun-ichiro itojun Hagino Affects: All FreeBSD releases. Corrected: 2007-04-24 11:42:42 UTC (RELENG_6, 6.2-STABLE) 2007-04-26 23:42:23 UTC (RELENG_6_2, 6.2-RELEASE-p4) 2007-04-26 23:41:59 UTC (RELENG_6_1, 6.1-RELEASE-p16) 2007-04-24 11:44:23 UTC (RELENG_5, 5.5-STABLE) 2007-04-26 23:41:27 UTC (RELENG_5_5, 5.5-RELEASE-p12) CVE Name: CVE-2007-2242 I. Background IPv6 provides a routing header option which allows a packet sender to indicate how the packet should be routed, overriding the routing knowledge present in a network. This functionality is roughly equivalent to the "source routing" option in IPv4. All nodes in an IPv6 network -- both routers and hosts -- are required by RFC 2640 to process such headers. II. Problem Description There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same link(s) many times. III. Impact An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts. An attacker can use vulnerable hosts to "concentrate" a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less. Other attacks may also be possible. IV. Workaround No workaround is available. V. Solution NOTE WELL: The solution described below causes IPv6 type 0 routing headers to be ignored. Support for IPv6 type 0 routing headers can be re-enabled if required by setting the newly added net.inet6.ip6.rthdr0_allowed sysctl to a non-zero value. Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, and 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch # fetch http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/netinet6/in6.h 1.35.2.5 src/sys/netinet6/in6_proto.c 1.29.2.5 src/sys/netinet6/route6.c 1.10.4.2 RELENG_5_5 src/UPDATING 1.342.2.35.2.12 src/sys/conf/newvers.sh 1.62.2.21.2.14 src/sys/netinet6/in6.h 1.35.2.3.2.1 src/sys/netinet6/in6_proto.c 1.29.2.4.2.1 src/sys/netinet6/route6.c 1.10.4.1.4.1 RELENG_6 src/sys/netinet6/in6.h 1.36.2.8 src/sys/netinet6/in6_proto.c 1.32.2.6 src/sys/netinet6/route6.c 1.11.2.2 RELENG_6_2 src/UPDATING 1.416.2.29.2.7 src/sys/conf/newvers.sh 1.69.2.13.2.7 src/sys/netinet6/in6.h 1.36.2.7.2.1 src/sys/netinet6/in6_proto.c 1.32.2.5.2.1 src/sys/netinet6/route6.c 1.11.2.1.4.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.18 src/sys/conf/newvers.sh 1.69.2.11.2.18 src/sys/netinet6/in6.h 1.36.2.6.2.1 src/sys/netinet6/in6_proto.c 1.32.2.4.2.1 src/sys/netinet6/route6.c 1.11.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2242 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-07:03.ipv6.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD4DBQFGMTlvFdaIBMps37IRApu3AJYsifWIDLcyxNcMdnkvw4nBqXFoAJ43+IzB M5sIdCmLQABByFlbMB2BjQ== =OrNf -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Apr 27 05:55:04 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C18C16A402 for ; Fri, 27 Apr 2007 05:55:04 +0000 (UTC) (envelope-from y-koga@jp.FreeBSD.org) Received: from [127.0.0.1] (hiiro.mesh.ad.jp [133.205.63.232]) by mx1.freebsd.org (Postfix) with ESMTP id 3662213C448 for ; Fri, 27 Apr 2007 05:55:04 +0000 (UTC) (envelope-from y-koga@jp.FreeBSD.org) Received: from [127.0.0.1] (localhost [127.0.0.1]) (authenticated bits=0) (envelope-from y-koga@jp.FreeBSD.org) by [127.0.0.1] (8.14.1/8.14.1) with ESMTP id l3R5Vvt7007112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 27 Apr 2007 14:31:59 +0900 (JST) Date: Fri, 27 Apr 2007 14:31:56 +0900 (JST) Message-Id: <20070427.143156.87001849.y-koga@jp.FreeBSD.org> To: freebsd-security@freebsd.org From: Koga Youichirou In-Reply-To: <200704262349.l3QNnmro085350@freefall.freebsd.org> References: <200704262349.l3QNnmro085350@freefall.freebsd.org> X-Mailer: Mew version 5.2 on Emacs 21.3.50 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 05:55:04 -0000 > ============================================================================= > FreeBSD-SA-07:03.ipv6 Security Advisory > The FreeBSD Project > > Topic: IPv6 Routing Header 0 is dangerous - snip - > I. Background > > IPv6 provides a routing header option which allows a packet sender to > indicate how the packet should be routed, overriding the routing knowledge > present in a network. This functionality is roughly equivalent to the > "source routing" option in IPv4. All nodes in an IPv6 network -- both > routers and hosts -- are required by RFC 2640 to process such headers. s/RFC 2640/RFC 2460/ Regards, -- Koga, Youichirou From owner-freebsd-security@FreeBSD.ORG Sat Apr 28 01:12:11 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CDE7316A50B for ; Sat, 28 Apr 2007 01:12:11 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.freebsd.org (Postfix) with ESMTP id A888813C480 for ; Sat, 28 Apr 2007 01:12:11 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mr3so.prod.shaw.ca (pd2mr3so-qfe3.prod.shaw.ca [10.0.141.108]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0JH6002D6LMK31H0@l-daemon> for freebsd-security@freebsd.org; Fri, 27 Apr 2007 18:06:20 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd2mr3so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0JH600K94LMH4QZ0@pd2mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Fri, 27 Apr 2007 18:06:18 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0JH600IDDLMGYGJ1@l-daemon> for freebsd-security@freebsd.org; Fri, 27 Apr 2007 18:06:17 -0600 (MDT) Received: (qmail 43124 invoked from network); Sat, 28 Apr 2007 00:05:51 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Sat, 28 Apr 2007 00:05:51 +0000 Date: Fri, 27 Apr 2007 17:05:50 -0700 From: Colin Percival In-reply-to: <20070427.143156.87001849.y-koga@jp.FreeBSD.org> To: Koga Youichirou Message-id: <46328FDE.1010006@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200704262349.l3QNnmro085350@freefall.freebsd.org> <20070427.143156.87001849.y-koga@jp.FreeBSD.org> User-Agent: Thunderbird 1.5.0.9 (X11/20061227) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2007 01:12:11 -0000 Koga Youichirou wrote: >> ============================================================================= >> FreeBSD-SA-07:03.ipv6 Security Advisory >> The FreeBSD Project >> IPv6 provides a routing header option which allows a packet sender to >> indicate how the packet should be routed, overriding the routing knowledge >> present in a network. This functionality is roughly equivalent to the >> "source routing" option in IPv4. All nodes in an IPv6 network -- both >> routers and hosts -- are required by RFC 2640 to process such headers. > > s/RFC 2640/RFC 2460/ Oops... Colin Percival From owner-freebsd-security@FreeBSD.ORG Sat Apr 28 22:02:32 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3C37B16A480 for ; Sat, 28 Apr 2007 22:02:32 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from smtp103.plus.mail.re2.yahoo.com (smtp103.plus.mail.re2.yahoo.com [206.190.53.28]) by mx1.freebsd.org (Postfix) with SMTP id C6BFE13C43E for ; Sat, 28 Apr 2007 22:02:31 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: (qmail 32528 invoked from network); 28 Apr 2007 21:34:29 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:X-YMail-OSG:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Z4QgFsEF4MZVNJGkXXFhJBTRW+q6XLrHSYu7Osc24g185vVw6sG5DZJ7WFFv/Di+xDyQN77m9Q/AC9pZQLWsEoX+sEgnO6wOhaOxAYZ3gvULugm99vN5d+9FK7R2EtthaOt7O+LgxZlyzrnWQd3aYyLMRBlk5bHAv+y6rZqD0+o= ; Received: from unknown (HELO ?192.168.1.2?) (eol1@70.239.25.53 with plain) by smtp103.plus.mail.re2.yahoo.com with SMTP; 28 Apr 2007 21:34:29 -0000 X-YMail-OSG: Xg0MOXQVM1n1KuIZjKi09plgxHNnEyiX_v4BgImBxRy2tGMJ1UVTHCa_CCZChWBkVYSEjhde0Q-- Message-ID: <4633BDE9.7080103@yahoo.com> Date: Sat, 28 Apr 2007 17:34:33 -0400 From: Peter Thoenen User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200704262349.l3QNnmro085350@freefall.freebsd.org> In-Reply-To: <200704262349.l3QNnmro085350@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2007 22:02:32 -0000 Umm maybe its just but I fail to see why this is a security advisory (initially caught this on the OBSD list). You are following the RFC .. if you don't like "evil" packets, then drop them at the firewall or router layer ... don't see the need for an OS fix.