[LACNIC/Seguridad] Fwd: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

[Fernando Gont]

FYI.

Aparentemente, algunos dispositivos no descartan los paquetes de ND
recibidos cuando el Hop Limit != 255.

Esto, sumado a que implementar "ARP" sobre IP (como es el caso de ND)
permite que dicho trafico sea ruteable, lleva a cosas como estas.

En fin...


-------- Forwarded Message --------
Subject: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of
Service Vulnerability
Date: Wed, 10 Aug 2016 17:52:16 +0000
From: Suresh Krishnan <suresh.krishnan en ericsson.com>
To: IETF IPv6 Mailing List <ipv6 en ietf.org>, IPv6 Operations
<v6ops en ops.ietf.org>, 6man-chairs en ietf.org <6man-chairs en ietf.org>,
v6ops-chairs en ietf.org <v6ops-chairs en ietf.org>

Hi all,
   I have been notified about this vulnerability and have been asked
whether this is due to an issue with the IPv6 protocol specifications.
At first glance, I have a hard time seeing how this attack is possible
on any compliant RFC4861 implementation given that the 255 Hop Limit
check would drop any remote attack packets. If someone on the 6man/v6ops
mailing lists has further info, can you please contact me off-list. My
goal is to figure out if there is any protocol work or operational
guidance needed from the IETF side.

More info:

This is the CVE list entry in question

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1409

The Cisco security advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

The Juniper knowledge base entry

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10749&cat=SIRT_1&actp=LIST

Thanks
Suresh

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 en ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------