[LAC-TF] Fwd: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability
Ivan Chapero
info at ivanchapero.com.ar
Wed Sep 28 18:31:12 BRT 2016
Comparto un filtro bastante granular para la routing-engine (control-plane)
que estuve ideando para reducir el comportamiento de este tipo de
vulnerabilidad hasta que podamos upgradear el Junos.
Si bien es para Juniper, se puede leer como pseudo-codigo para otras
plataformas y traducir. Agradecido de cualquier corrección/aporte!:
set groups JUNOS-HARDENING policy-options prefix-list
ACL-ROUTER-IPv6-ADDRESSES apply-path "interfaces <*> unit <*> family inet6
address <*>"
set groups JUNOS-HARDENING policy-options prefix-list ACL-LINK-LOCAL-IPv6
fe80::/64
set groups JUNOS-HARDENING policy-options prefix-list ACL-MCAST-SNMA-IPv6
ff02:0:0:0:0:1:ff00::/104
set groups JUNOS-HARDENING policy-options prefix-list
ACL-MCAST-ALLNODES-IPv6 ff02::1/128
show groups JUNOS-HARDENING firewall family inet6 filter accept-icmp6-nd
term ns-linklocal {
from {
source-prefix-list {
ACL-LINK-LOCAL-IPv6;
}
destination-prefix-list {
ACL-MCAST-SNMA-IPv6;
ACL-LINK-LOCAL-IPv6;
}
next-header icmpv6;
icmp-type 135;
hop-limit 255;
}
then {
count accept-icmpv6-ns;
accept;
}
}
term ns-global {
from {
source-prefix-list {
ACL-ROUTER-IPv6-ADDRESSES;
}
destination-prefix-list {
ACL-MCAST-SNMA-IPv6;
ACL-ROUTER-IPv6-ADDRESSES;
}
next-header icmpv6;
icmp-type 135;
hop-limit 255;
}
then {
count accept-icmpv6-ns;
accept;
}
}
term ns-dad {
from {
source-address {
::/128;
}
destination-prefix-list {
ACL-MCAST-SNMA-IPv6;
}
next-header icmpv6;
icmp-type 135;
hop-limit 255;
}
then {
count accept-icmpv6-ns;
accept;
}
}
term na-linklocal {
from {
source-prefix-list {
ACL-LINK-LOCAL-IPv6;
}
destination-prefix-list {
ACL-LINK-LOCAL-IPv6;
ACL-MCAST-ALLNODES-IPv6;
}
next-header icmpv6;
icmp-type 136;
hop-limit 255;
}
then {
count accept-icmpv6-na;
accept;
}
}
term na-global {
from {
source-prefix-list {
ACL-ROUTER-IPv6-ADDRESSES;
}
destination-prefix-list {
ACL-ROUTER-IPv6-ADDRESSES;
ACL-MCAST-ALLNODES-IPv6;
}
next-header icmpv6;
icmp-type 136;
hop-limit 255;
}
then {
count accept-icmpv6-na;
accept;
}
}
term bad-nd {
from {
next-header icmpv6;
icmp-type [ 133-137 141-142 ];
}
then {
count no-icmpv6-bad-nd;
log;
syslog;
discard;
}
}
2016-09-28 0:06 GMT-03:00 Ivan Chapero <info at ivanchapero.com.ar>:
> Hola,
>
> Juniper veo que liberó ayer por lo menos para la rama recomendada en los
> MX un fix.
>
> En CISCO veo que sigue en categoría de bug y con un workaround manual
> basado en ACL:
>
> https://quickview.cloudapps.cisco.com/quickview/bug/CSCva94139
>
> Saludos.
>
>
> 2016-08-15 15:04 GMT-03:00 Azael Fernandez Alcantara <afaza at unam.mx>:
>
>> Buen Dia,
>>
>> Tambien puede servir lo comentado en la sig. liga:
>>
>> https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-do
>> s-vulnerability-in-cisco-software/
>>
>>
>> SALUDOS
>> _______
>> Azael
>> ____________________________
>> Mensaje enviado sin acentos
>>
>>
>>
>> On Sun, 14 Aug 2016, Fernando Gont wrote:
>>
>> FYI.
>>>
>>> Aparentemente, algunos dispositivos no descartan los paquetes de ND
>>> recibidos cuando el Hop Limit != 255.
>>>
>>> Esto, sumado a que implementar "ARP" sobre IP (como es el caso de ND)
>>> permite que dicho trafico sea ruteable, lleva a cosas como estas.
>>>
>>> En fin...
>>>
>>>
>>> -------- Forwarded Message --------
>>> Subject: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of
>>> Service Vulnerability
>>> Date: Wed, 10 Aug 2016 17:52:16 +0000
>>> From: Suresh Krishnan <suresh.krishnan at ericsson.com>
>>> To: IETF IPv6 Mailing List <ipv6 at ietf.org>, IPv6 Operations
>>> <v6ops at ops.ietf.org>, 6man-chairs at ietf.org <6man-chairs at ietf.org>,
>>> v6ops-chairs at ietf.org <v6ops-chairs at ietf.org>
>>>
>>> Hi all,
>>> I have been notified about this vulnerability and have been asked
>>> whether this is due to an issue with the IPv6 protocol specifications.
>>> At first glance, I have a hard time seeing how this attack is possible
>>> on any compliant RFC4861 implementation given that the 255 Hop Limit
>>> check would drop any remote attack packets. If someone on the 6man/v6ops
>>> mailing lists has further info, can you please contact me off-list. My
>>> goal is to figure out if there is any protocol work or operational
>>> guidance needed from the IETF side.
>>>
>>> More info:
>>>
>>> This is the CVE list entry in question
>>>
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1409
>>>
>>> The Cisco security advisory
>>>
>>> https://tools.cisco.com/security/center/content/CiscoSecurit
>>> yAdvisory/cisco-sa-20160525-ipv6
>>>
>>> The Juniper knowledge base entry
>>>
>>> https://kb.juniper.net/InfoCenter/index?page=content&id=JSA1
>>> 0749&cat=SIRT_1&actp=LIST
>>>
>>> Thanks
>>> Suresh
>>>
>>> --------------------------------------------------------------------
>>> IETF IPv6 working group mailing list
>>> ipv6 at ietf.org
>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>> --------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> LACTF mailing list
>>> LACTF at lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lactf
>>> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>>>
>>> _______________________________________________
>> LACTF mailing list
>> LACTF at lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/lactf
>> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>>
>
>
>
> --
>
> *Ivan ChaperoÁrea Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282 | Skype ID:
> ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
> - Santa Fe - Argentina
>
>
>
>
>
>
>
>
--
*Ivan ChaperoÁrea Técnica y Soporte*
Fijo: 03464-470280 (interno 535) | Móvil: 03464-155-20282 | Skype ID:
ivanchapero
--
GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
- Santa Fe - Argentina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.lacnic.net/pipermail/lactf/attachments/20160928/a5f7a30a/attachment.html>
More information about the LACTF
mailing list