[LAC-TF] Fwd: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability
Ivan Chapero
info at ivanchapero.com.ar
Wed Sep 28 00:06:12 BRT 2016
Hola,
Juniper veo que liberó ayer por lo menos para la rama recomendada en los MX
un fix.
En CISCO veo que sigue en categoría de bug y con un workaround manual
basado en ACL:
https://quickview.cloudapps.cisco.com/quickview/bug/CSCva94139
Saludos.
2016-08-15 15:04 GMT-03:00 Azael Fernandez Alcantara <afaza at unam.mx>:
> Buen Dia,
>
> Tambien puede servir lo comentado en la sig. liga:
>
> https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-
> dos-vulnerability-in-cisco-software/
>
>
> SALUDOS
> _______
> Azael
> ____________________________
> Mensaje enviado sin acentos
>
>
>
> On Sun, 14 Aug 2016, Fernando Gont wrote:
>
> FYI.
>>
>> Aparentemente, algunos dispositivos no descartan los paquetes de ND
>> recibidos cuando el Hop Limit != 255.
>>
>> Esto, sumado a que implementar "ARP" sobre IP (como es el caso de ND)
>> permite que dicho trafico sea ruteable, lleva a cosas como estas.
>>
>> En fin...
>>
>>
>> -------- Forwarded Message --------
>> Subject: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of
>> Service Vulnerability
>> Date: Wed, 10 Aug 2016 17:52:16 +0000
>> From: Suresh Krishnan <suresh.krishnan at ericsson.com>
>> To: IETF IPv6 Mailing List <ipv6 at ietf.org>, IPv6 Operations
>> <v6ops at ops.ietf.org>, 6man-chairs at ietf.org <6man-chairs at ietf.org>,
>> v6ops-chairs at ietf.org <v6ops-chairs at ietf.org>
>>
>> Hi all,
>> I have been notified about this vulnerability and have been asked
>> whether this is due to an issue with the IPv6 protocol specifications.
>> At first glance, I have a hard time seeing how this attack is possible
>> on any compliant RFC4861 implementation given that the 255 Hop Limit
>> check would drop any remote attack packets. If someone on the 6man/v6ops
>> mailing lists has further info, can you please contact me off-list. My
>> goal is to figure out if there is any protocol work or operational
>> guidance needed from the IETF side.
>>
>> More info:
>>
>> This is the CVE list entry in question
>>
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1409
>>
>> The Cisco security advisory
>>
>> https://tools.cisco.com/security/center/content/CiscoSecurit
>> yAdvisory/cisco-sa-20160525-ipv6
>>
>> The Juniper knowledge base entry
>>
>> https://kb.juniper.net/InfoCenter/index?page=content&id=
>> JSA10749&cat=SIRT_1&actp=LIST
>>
>> Thanks
>> Suresh
>>
>> --------------------------------------------------------------------
>> IETF IPv6 working group mailing list
>> ipv6 at ietf.org
>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>> --------------------------------------------------------------------
>>
>> _______________________________________________
>> LACTF mailing list
>> LACTF at lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lactf
>> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>>
>> _______________________________________________
> LACTF mailing list
> LACTF at lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lactf
> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>
--
*Ivan ChaperoÁrea Técnica y Soporte*
Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282 | Skype ID:
ivanchapero
--
GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
- Santa Fe - Argentina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.lacnic.net/pipermail/lactf/attachments/20160928/1d71ba3c/attachment.html>
More information about the LACTF
mailing list