[LAC-TF] Fragmentacion IPv6 bis (Fwd: RE: [Full-disclosure] Remote system freeze thanks to Kaspersky Internet Security 2013 (SA52053))

Juan Antonio Matos jmatos at idac.gov.do
Wed Mar 6 00:16:43 BRT 2013


En República Dominicana, le llamamos salami a aquellas personas que suelen acertar con las cosas que predicen o dicen.

En este caso con el draft sobre Predictable Fragment Identification Values, te convertiste en un "salami".

Esperemos que finalmente el 6man lo tome como un wg item.

Good Job Fernando!


Juan Antonio Matos

PD. Quisiera ver la cara de aquellos que trataron el tema con escepticismo. =)

Sent via BlackBerry® device.

-----Original Message-----
From: Fernando Gont <fernando at gont.com.ar>
Sender: <lactf-bounces at lacnic.net>
Date: Tue, 5 Mar 2013 19:44:22
To: Lista para discusión de seguridad en redes y sistemas informaticos de la región<seguridad at lacnic.net>
Reply-To: <lactf at lac.ipv6tf.org>
Cc: lactf at lac.ipv6tf.org<lactf at lac.ipv6tf.org>
Subject: [LAC-TF] Fragmentacion IPv6 bis (Fwd: RE: [Full-disclosure] Remote
 system freeze thanks to Kaspersky Internet Security 2013 (SA52053))


Alguien de no muy buena reputación ;-) una vez dijo esta máxima "You can
get more things with a kind word and a gun, than with a kind word
alone". :-)

-------- Original Message --------
From: Vulnerability Mailbox <Vulnerability at kaspersky.com>
To: Marc Heuse (mh at mh-sec.de) <mh at mh-sec.de>,  bugtraq at securityfocus.com
<bugtraq at securityfocus.com>,  vuln at secunia.com <vuln at secunia.com>
CC: noloader at gmail.com <noloader at gmail.com>,  Full Disclosure
<full-disclosure at lists.grok.org.uk>,  IPv6 Hackers Mailing List
<ipv6hackers at lists.si6networks.com>,  Vulnerability Mailbox
<Vulnerability at kaspersky.com>
Subject: RE: [Full-disclosure] Remote system freeze thanks to Kaspersky
Date: Tue, 5 Mar 2013 13:04:33 +0000
Message-ID: <F7B4DB06AE107245994FAF8527EAB9331DF2B79B at HQMailDAG1.avp.ru>

Hello, Marc, colleagues,
We confirm bug that could result in system freeze existed in kneps
system  driver. Private fix is available right now, patch via automatic
product update pending release.

Best regards,

Vulnerability response | Kaspersky Lab
tel: +7 495 7978700 | Vulnerability at kaspersky.com
Olimpia Park, bld.3, 39A, Lengradskoe sh., Moscow, Russia, 125212 |
www.kaspersky.com,  www.securelist.com

-----Original Message-----
From: Jeffrey Walton [mailto:noloader at gmail.com]
Sent: Monday, March 04, 2013 10:04 AM
To: Vulnerability Mailbox; Vulnerability Mailbox
Subject: Fwd: [Full-disclosure] Remote system freeze thanks to Kaspersky
Internet Security 2013

---------- Forwarded message ----------
From: Marc Heuse < >
Date: Mon, Mar 4, 2013 at 1:01 AM
Subject: [Full-disclosure] Remote system freeze thanks to Kaspersky
Internet Security 2013
To: "bugtraq at securityfocus.com" < >, Full Disclosure
<full-disclosure at lists.grok.org.uk>, IPv6 Hackers Mailing List
<ipv6hackers at lists.si6networks.com>

I usually do not write security advisories unless absolutely necessary.

This time I should, however I have neither the time, nor the desire to
do so.
But Kaspersky did not react, so ... quick and dirty:

Kaspersky Internet Security 2013 (and any other Kaspersky product which
includes the firewall funcionality) is susceptible to a remote system
As of the 3rd March 2013, the bug is still unfixed.

If IPv6 connectivity to a victim is possible (which is always the case
on local networks), a fragmented packet with multiple but one large
extension header leads to a complete freeze of the operating system.
No log message or warning window is generated, nor is the system able to
perform any task.

To test:
  1. download the thc-ipv6 IPv6 protocol attack suite for Linux from
  2. compile the tools with "make"
  3. run the following tool on the target:
        firewall6 <interface> <target> <port> 19
     where interface is the network interface (e.g. eth0)
           target is the IPv6 address of the victim (e.g. ff02::1)
           port is any tcp port, doesnt matter which (e.g. 80)
       and 19 is the test case number.
     The test case numbers 18, 19, 20 and 21 lead to a remote system freeze.

Solution: Remove the Kaspersky Anti-Virus NDIS 6 Filter from all network
interfaces or uninstall the Kaspersky software until a fix is provided.

The bug was reported to Kaspersky first on the 21st January 2013, then
reminded on the 14th Feburary 2013.
No feedback was given by Kaspersky, and the reminder contained a warning
that without feedback the bug would be disclosed on this day. So here we

Marc Heuse

Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

LACTF mailing list
lactf at lac.ipv6tf.org

Por favor considere el medio ambiente antes de imprimir este mensaje.   Please consider the environment before printing this message.
Este mensaje puede contener información privilegiada y confidencial. Dicha información es exclusivamente para el uso del individuo o entidad al cual es enviada. Si el lector de este mensaje no es el destinatario del mismo, queda formalmente notificado que cualquier divulgación, distribución, reproducción o copiado de esta comunicación está estrictamente prohibido. Si este es el caso, favor de eliminar el mensaje de su computadora e informar al emisor a través de un mensaje de respuesta. Las opiniones expresadas en este mensaje son propias del autor y no necesariamente coinciden con las de IDAC.

This message may contain information that is priviliged and confidential. It is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, reproduction or copying of this communication is strictly prohibited. If this is the case, please proceed to destroy the message from your computer and inform the sender through reply mail. Information in this message that does not directly relate to the official business of the company shall be understood as neither given nor endorsed by it.

More information about the LACTF mailing list