[LAC-TF] Fwd: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

Azael Fernandez Alcantara afaza at unam.mx
Wed Sep 28 19:20:40 BRT 2016 

Buen Dia,

Muchas gracias por compartir

La proxima vez tal vez seria mejor enviar el codigo como adjunto en un 
archivo .txt.


SALUDOS
______________________
Azael
____________________________
Mensaje enviado sin acentos


On Wed, 28 Sep 2016, Ivan Chapero wrote:

> Comparto un filtro bastante granular para la routing-engine (control-plane)
> que estuve ideando para reducir el comportamiento de este tipo de
> vulnerabilidad hasta que podamos upgradear el Junos.
>
> Si bien es para Juniper, se puede leer como pseudo-codigo para otras
> plataformas y traducir. Agradecido de cualquier corrección/aporte!:
>
> set groups JUNOS-HARDENING policy-options prefix-list
> ACL-ROUTER-IPv6-ADDRESSES apply-path "interfaces <*> unit <*> family inet6
> address <*>"
>
> set groups JUNOS-HARDENING policy-options prefix-list ACL-LINK-LOCAL-IPv6
> fe80::/64
>
> set groups JUNOS-HARDENING policy-options prefix-list ACL-MCAST-SNMA-IPv6
> ff02:0:0:0:0:1:ff00::/104
>
> set groups JUNOS-HARDENING policy-options prefix-list
> ACL-MCAST-ALLNODES-IPv6 ff02::1/128
.
.
.
>
> 2016-09-28 0:06 GMT-03:00 Ivan Chapero <info at ivanchapero.com.ar>:
>
>> Hola,
>>
>> Juniper veo que liberó ayer por lo menos para la rama recomendada en los
>> MX un fix.
>>
>> En CISCO veo que sigue en categoría de bug y con un workaround manual
>> basado en ACL:
>>
>> https://quickview.cloudapps.cisco.com/quickview/bug/CSCva94139
>>
>> ​​Saludos.
>>
>>
>> 2016-08-15 15:04 GMT-03:00 Azael Fernandez Alcantara <afaza at unam.mx>:
>>
>>> Buen Dia,
>>>
>>> Tambien puede servir lo comentado en la sig. liga:
>>>
>>> https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-do
>>> s-vulnerability-in-cisco-software/
>>>
>>>
>>> SALUDOS
>>> _______
>>> Azael
>>> ____________________________
>>> Mensaje enviado sin acentos
>>>
>>>
>>>
>>> On Sun, 14 Aug 2016, Fernando Gont wrote:
>>>
>>> FYI.
>>>>
>>>> Aparentemente, algunos dispositivos no descartan los paquetes de ND
>>>> recibidos cuando el Hop Limit != 255.
>>>>
>>>> Esto, sumado a que implementar "ARP" sobre IP (como es el caso de ND)
>>>> permite que dicho trafico sea ruteable, lleva a cosas como estas.
>>>>
>>>> En fin...
>>>>
>>>>
>>>> -------- Forwarded Message --------
>>>> Subject: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of
>>>> Service Vulnerability
>>>> Date: Wed, 10 Aug 2016 17:52:16 +0000
>>>> From: Suresh Krishnan <suresh.krishnan at ericsson.com>
>>>> To: IETF IPv6 Mailing List <ipv6 at ietf.org>, IPv6 Operations
>>>> <v6ops at ops.ietf.org>, 6man-chairs at ietf.org <6man-chairs at ietf.org>,
>>>> v6ops-chairs at ietf.org <v6ops-chairs at ietf.org>
>>>>
>>>> Hi all,
>>>>   I have been notified about this vulnerability and have been asked
>>>> whether this is due to an issue with the IPv6 protocol specifications.
>>>> At first glance, I have a hard time seeing how this attack is possible
>>>> on any compliant RFC4861 implementation given that the 255 Hop Limit
>>>> check would drop any remote attack packets. If someone on the 6man/v6ops
>>>> mailing lists has further info, can you please contact me off-list. My
>>>> goal is to figure out if there is any protocol work or operational
>>>> guidance needed from the IETF side.
>>>>
>>>> More info:
>>>>
>>>> This is the CVE list entry in question
>>>>
>>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1409
>>>>
>>>> The Cisco security advisory
>>>>
>>>> https://tools.cisco.com/security/center/content/CiscoSecurit
>>>> yAdvisory/cisco-sa-20160525-ipv6
>>>>
>>>> The Juniper knowledge base entry
>>>>
>>>> https://kb.juniper.net/InfoCenter/index?page=content&id=JSA1
>>>> 0749&cat=SIRT_1&actp=LIST
>>>>
>>>> Thanks
>>>> Suresh
>>>>
>>>> --------------------------------------------------------------------
>>>> IETF IPv6 working group mailing list
>>>> ipv6 at ietf.org
>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>> --------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> LACTF mailing list
>>>> LACTF at lacnic.net
>>>> https://mail.lacnic.net/mailman/listinfo/lactf
>>>> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>>>>
>>>> _______________________________________________
>>> LACTF mailing list
>>> LACTF at lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/lactf
>>> Cancelar suscripcion: lactf-unsubscribe at lacnic.net
>>>
>>
>>
>>
>> --
>>
>> *Ivan ChaperoÁrea Técnica y Soporte*
>> Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
>> ivanchapero
>> --
>> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
>> - Santa Fe - Argentina
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> -- 
>
> *Ivan ChaperoÁrea Técnica y Soporte*
> Fijo: 03464-470280 (interno 535) | Móvil:  03464-155-20282  | Skype ID:
> ivanchapero
> --
> GoDATA Banda Ancha - CABLETEL S.A. | Av. 9 de Julio 1163 - 2183 - Arequito
> - Santa Fe - Argentina
>

More information about the LACTF mailing list