From owner-freebsd-net@FreeBSD.ORG Fri Apr 3 09:54:02 2015 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B0C462C9 for ; Fri, 3 Apr 2015 09:54:02 +0000 (UTC) Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 749B5F1A for ; Fri, 3 Apr 2015 09:54:01 +0000 (UTC) Received: by obvd1 with SMTP id d1so166017824obv.0 for ; Fri, 03 Apr 2015 02:54:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=KTF0xwZrEgIVvNeHlB9fXgiEmVevYWiW//A3lq9kU2U=; b=loTzwGOtZ0q9aUxva9xDKhK/npuEetWxnTG4lczElaFDC3fLU3AsCVmVa8UPTmWM6v whi8DqHiJGL/xnY3m0N285zhYH4jlCMPmXCPHxZnTpIiCcPJ38pfcKLI2FE2Bk3IHQMA PE4/KuCS+rAFDkL+E8RH1oLK1pkYJeS+M9qyKJ8xD86vUGsIy0220buHCAk+0WYKXBo4 pv/tksM2UKxrLwgoZyMjypbc0ZKfNYrwTeoVgJh+b/bMvx6OoqouIF/N6PIqgahYVY4n JVRwkdd921fKmhSei0nihN59Hx3N1WYWuLRb8DlzCEAQnJEjAn6zw7lGkKyJ3gD3P24A +2SQ== X-Gm-Message-State: ALoCoQnIn53dPu3sLQL/VDCjiXVfrNg596/GXYgdluWqLMRXNk6J6oA5tb30mxvDRJVMM89tbBUm MIME-Version: 1.0 X-Received: by 10.182.125.130 with SMTP id mq2mr2036134obb.52.1428054841071; Fri, 03 Apr 2015 02:54:01 -0700 (PDT) Received: by 10.76.151.104 with HTTP; Fri, 3 Apr 2015 02:54:01 -0700 (PDT) In-Reply-To: <942E0C08-E883-429E-9F27-22715C00B684@netgate.com> References: <942E0C08-E883-429E-9F27-22715C00B684@netgate.com> Date: Fri, 3 Apr 2015 11:54:01 +0200 Message-ID: Subject: Re: [oss-security] CVE Request : IPv6 Hop limit lowering via RA messages From: "D.S. Ljungmark" To: Jim Thompson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Eitan Adler , oss-security@lists.openwall.com, FreeBSD Security Team , "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 09:54:02 -0000 On Fri, Apr 3, 2015 at 6:06 AM, Jim Thompson wrote: > have you considered that there might not be a relevant patch because Free= BSD=E2=80=99s implementation isn=E2=80=99t affected? sys/netinet6/nd6_rtr.c 300 if (nd_ra->nd_ra_curhoplimit) 301 ndi->chlim =3D nd_ra->nd_ra_curhoplimit; The only "OUT" in that function I see are tests for: Not accepting RA hoplimit on current packet !=3D 255 not link-local No extended ipv6 header Based on previous testing ( early March 2015), and reading of the source, I say that FreeBSD is vulnerable. Regards, D.S. Ljungmark > > Jim > >> On Apr 2, 2015, at 9:15 PM, Eitan Adler wrote: >> >> + FreeBSD lists since I haven't seen any relevant patches (although I >> might have missed them). >> >> ---------- Forwarded message ---------- >> From: D.S. Ljungmark >> Date: 2 April 2015 at 10:19 >> Subject: [oss-security] CVE Request : IPv6 Hop limit lowering via RA mes= sages >> To: oss-security@lists.openwall.com >> >> >> An unprivileged user on a local network can use IPv6 Neighbour >> Discovery ICMP to broadcast a non-route with a low hop limit, this >> causing machines to lower the hop limit on existing IPv6 routes. >> >> Linux Patch: http://www.spinics.net/lists/netdev/msg322361.html >> Redhat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=3D1203712 >> >> Projects impacted: Linux kernel, NetworkManager, FreeBSD Kernel >> >> >> Regards, >> D.S. Ljungmark >> >> >> -- >> Eitan Adler >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >