From owner-freebsd-net@FreeBSD.ORG  Fri Oct 19 22:00:35 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 50BAC3E7
 for <freebsd-net@freebsd.org>; Fri, 19 Oct 2012 22:00:35 +0000 (UTC)
 (envelope-from steven@pyro.eu.org)
Received: from falkenstein-2.sn.de.cluster.ok24.net
 (falkenstein-2.sn.de.cluster.ok24.net [IPv6:2002:4e2f:2f89:2::1])
 by mx1.freebsd.org (Postfix) with ESMTP id C553D8FC0C
 for <freebsd-net@freebsd.org>; Fri, 19 Oct 2012 22:00:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org;
 s=10.2012; 
 h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID;
 bh=2gU+Pj28jGmHVfDVRaUDRf9Dgc7Zf6wtlvYt5VN5CGM=; 
 b=L2f6e5N2wObvI0z5SVzE7sbmkz1fGpTWsZuaHtatfYe7LXMVkqTyNM+bBNIJlI4ViK4Tp1xJHeX7I3Noel0MIwBZIpGTHCy7RarX8uZEKrVCKFODwuuQ0GWGFCwj+udrrcNAhKpC55lFmIWrsxzADW95dIvXacPtoA66J2sV5qk=;
X-Spam-Status: No, score=-1.1 required=2.0 tests=ALL_TRUSTED, BAYES_00,
 DKIM_ADSP_DISCARD, TVD_RCVD_IP
Received: from 188-220-33-66.zone11.bethere.co.uk ([188.220.33.66]
 helo=guisborough-1.rcc.uk.cluster.ok24.net)
 by falkenstein-2.sn.de.cluster.ok24.net with esmtp (Exim 4.72)
 (envelope-from <steven@pyro.eu.org>)
 id 1TPKcF-0000kq-HH; Fri, 19 Oct 2012 23:00:31 +0100
X-Spam-Status: No, score=-4.0 required=2.0 tests=ALL_TRUSTED, AWL, BAYES_00,
 DKIM_POLICY_SIGNALL
Received: from [192.168.0.110] (helo=[192.168.0.9])
 by guisborough-1.rcc.uk.cluster.ok24.net with esmtpsa
 (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69)
 (envelope-from <steven@pyro.eu.org>)
 id 1TPKc5-0002nL-PT; Fri, 19 Oct 2012 23:00:27 +0100
Message-ID: <5081CD71.2050709@pyro.eu.org>
Date: Fri, 19 Oct 2012 23:00:17 +0100
From: Steven Chamberlain <steven@pyro.eu.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:10.0.7) Gecko/20120922 Icedove/10.0.7
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: Debian Bug#690986: CVE-2012-5363 CVE-2012-5365
References: <20121019193436.5031.87058.reportbug@pisco.westfalen.local>
In-Reply-To: <20121019193436.5031.87058.reportbug@pisco.westfalen.local>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: Moritz Muehlenhoff <jmm@debian.org>, 690986@bugs.debian.org,
 690986-forwarded@bugs.debian.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2012 22:00:35 -0000

Hi,

On 19/10/12 20:34, Moritz Muehlenhoff wrote:
> Two security issues were found in the kfreebsd network stack:
> http://www.openwall.com/lists/oss-security/2012/10/10/8

> Issue #1 was assigned CVE-2012-5363
> Issue #2 was assigned CVE-2012-5365

Thank you for mentioning it.

Issue #2 seems similar to CVE-2011-2393, which I assumed was only
relevant where we'd set net.inet6.ip6.accept_rtadv=1, which isn't the
upstream FreeBSD default.  Issue #1 however might affect any FreeBSD
system acting as an IPv6 router.

If this can actually be confirmed, then the worst case I can imagine, is
if a FreeBSD box acts as an IPv6 router for multiple interfaces, perhaps
serving different users;  any one of them might flood with Neighbour
Solicitations on their local link and create a DoS affecting other
interfaces.


I found some code committed to OpenBSD (in 2008, uh-oh), supposedly from
KAME (but I can't find it in their repository?), implementing
per-interface and global limits on the number of prefixes/routes
accepted via RA.  I imagine that's the best way to avoid some or all of
these issues.

> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6_proto.c?sortby=date#rev1.56

Just recently it seems this was also committed to NetBSD HEAD:  "4 new
sysctls to avoid ipv6 DoS attacks from OpenBSD".  I don't know of an
easier way to link to a whole CVS commit, but here are (hopefully all)
the changes to individual files:

> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_input.c.diff?r1=1.138&r2=1.139&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_var.h.diff?r1=1.58&r2=1.59&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.c.diff?r1=1.142&r2=1.143&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.h.diff?r1=1.56&r2=1.57&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/icmp6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.96&r2=1.97&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_var.h.diff?r1=1.64&r2=1.65&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6_rtr.c.diff?r1=1.82&r2=1.83&sortby=date&only_with_tag=MAIN

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org