From owner-freebsd-net@FreeBSD.ORG  Fri Apr  3 09:57:03 2015
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D39933DF;
 Fri,  3 Apr 2015 09:57:03 +0000 (UTC)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com
 [IPv6:2607:f8b0:4001:c05::233])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A58BCF4C;
 Fri,  3 Apr 2015 09:57:03 +0000 (UTC)
Received: by igbqf9 with SMTP id qf9so92252689igb.1;
 Fri, 03 Apr 2015 02:57:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type:content-transfer-encoding;
 bh=Mm0593gYOMoF6mhevP+2akcfvk/u93/DEKaVqtzSbUg=;
 b=mUKXzsSMWgnCtaKfZYasR0itWw10MzLfT5O+XwU9kOnFAZ796AtkN1ytvBKUAp24TA
 zoIPBQJ8a2yQc8YQrUeMQkP9vjkNlGpEyG7RSACl8I7uomk8+BW2G7sAPYvbu3o6UAwJ
 emlZqDJUqPkFUaxceFBMWaC2kMtXrvQL7mMFS/3mZUejz0Nbuu/Pj/lza35pnoAwUFas
 Ud8QJdNs28bYxEOAQL9k7/jt8cM/RF3UEFPZg9lwPaqBstdpvs+wanhqajMP2yISeLTG
 Uta3A+Q+0DQrPOZAB8zVXPDiT1Wm9H2vNLfU78l2Vrq8NbZ1TSwQna7KN5bp1/l42+6r
 VHGw==
MIME-Version: 1.0
X-Received: by 10.43.14.199 with SMTP id pr7mr2839801icb.3.1428055023008; Fri,
 03 Apr 2015 02:57:03 -0700 (PDT)
Received: by 10.50.25.231 with HTTP; Fri, 3 Apr 2015 02:57:02 -0700 (PDT)
In-Reply-To: <CAO0vwOV33zHW=z4FDHq91yX5UHxnDKtXnzqzkYCrR+koxh1d9g@mail.gmail.com>
References: <CAO0vwOXOPSGb8xWiutn+r+rXhSQc3SwC8-S2bkpRZuRAvDOyHw@mail.gmail.com>
 <CAF6rxgk6e1rT3prS3SS4FthshnVQdSrrE+bB65ps6Tx30UznAA@mail.gmail.com>
 <942E0C08-E883-429E-9F27-22715C00B684@netgate.com>
 <CAO0vwOV33zHW=z4FDHq91yX5UHxnDKtXnzqzkYCrR+koxh1d9g@mail.gmail.com>
Date: Fri, 3 Apr 2015 13:57:02 +0400
Message-ID: <CAOp4FwRaCkVWVeDtX-hy22Gm8xB=SMbz=fxWkwz4QqgvLU8ayw@mail.gmail.com>
Subject: Re: [oss-security] CVE Request : IPv6 Hop limit lowering via RA
 messages
From: Loganaden Velvindron <loganaden@gmail.com>
To: oss-security@lists.openwall.com
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Eitan Adler <lists@eitanadler.com>, Jim Thompson <jim@netgate.com>,
 FreeBSD Security Team <secteam@freebsd.org>,
 "freebsd-net@freebsd.org" <net@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 09:57:04 -0000

On Fri, Apr 3, 2015 at 1:54 PM, D.S. Ljungmark <ljungmark@modio.se> wrote:
> On Fri, Apr 3, 2015 at 6:06 AM, Jim Thompson <jim@netgate.com> wrote:
>> have you considered that there might not be a relevant patch because Fre=
eBSD=E2=80=99s implementation isn=E2=80=99t affected?
>
> sys/netinet6/nd6_rtr.c
>
>     300         if (nd_ra->nd_ra_curhoplimit)
>     301                 ndi->chlim =3D nd_ra->nd_ra_curhoplimit;
>
> The only "OUT" in that function I see are tests for:
>   Not accepting RA
>   hoplimit on current packet !=3D 255
>   not link-local
>   No extended ipv6 header

It is vulnerable. Harrison Grundy and I worked on a patch, and sent it
to secteam@.


>
>
> Based on previous testing ( early March 2015), and reading of the
> source, I say that FreeBSD is vulnerable.
>
>
> Regards,
>   D.S. Ljungmark
>
>
>>
>> Jim
>>
>>> On Apr 2, 2015, at 9:15 PM, Eitan Adler <lists@eitanadler.com> wrote:
>>>
>>> + FreeBSD lists since I haven't seen any relevant patches (although I
>>> might have missed them).
>>>
>>> ---------- Forwarded message ----------
>>> From: D.S. Ljungmark <ljungmark@modio.se>
>>> Date: 2 April 2015 at 10:19
>>> Subject: [oss-security] CVE Request : IPv6 Hop limit lowering via RA me=
ssages
>>> To: oss-security@lists.openwall.com
>>>
>>>
>>> An unprivileged user on a local network can use IPv6 Neighbour
>>> Discovery ICMP to broadcast a non-route with a low hop limit, this
>>> causing machines to lower the hop limit on existing IPv6 routes.
>>>
>>> Linux Patch: http://www.spinics.net/lists/netdev/msg322361.html
>>> Redhat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=3D1203712
>>>
>>> Projects impacted:  Linux kernel,  NetworkManager, FreeBSD Kernel
>>>
>>>
>>> Regards,
>>>  D.S. Ljungmark
>>>
>>>
>>> --
>>> Eitan Adler
>>> _______________________________________________
>>> freebsd-net@freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>>



--=20
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.