Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 09 Nov 2012 01:15:15 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request --- acceptation of overlapping ipv6
 fragments

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/08/2012 03:15 PM, Petr Matousek wrote:
> Accepting overlapping fragmented ipv6 packets can lead to
> Operating Systems (OS) fingerprinting, IDS/IPS insertion/evasion,
> firewall evasion.
> 
> Do not accept such packets.
> 
> Linux kernel upstream fix: 
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=70789d7052239992824628db8133de08dc78e593
>
>  References: http://tools.ietf.org/rfc/rfc5722.txt 
> https://media.blackhat.com/bh-eu-12/Atlasis/bh-eu-12-Atlasis-Attacking_IPv6-WP.pdf
>
>  Thanks,

So the rational here is that:

1) The RFC says overlapping IPv6 fragments should be dropped (in fact
all the fragments for that datagram should be dropped).
2) Generally speaking there is no real legitimate case for overlapping
IPv6 (or IPv4) fragments, and in fact they are quite dangerous:

http://www.ietf.org/proceedings/72/slides/6man-5.pdf
- -Overlapping fragments were allowed in the original
IPv4 specification (RFC791)
- -RFC1858 described an overlapping fragment attack
that can be used to overwrite the TCP flags inside a
packet

IPv6 datagrams can include a destination options
header
- -This header belongs to the fragmentable part of the
datagram
- -TCP header can be much further into the fragmentable
part
- -Makes it possible to even overwrite port info.

So basically IPv6 overlapping fragments are quite dangerous and can
potentially be used to bypass firewalls/IDS/NIDS/etc.

Also I'm guessing there are a lot of "embedded" (not sure what term to
use when network devices now have full computers in them, e.g.
photocopiers) IPv6 stacks that will not handle overlapping fragments
(crash, memory overwrite, who knows) and cannot be upgraded by users
(since the devices are not supported/not supported properly by the
makers).

So in a nutshell by not implementing RFC5722 we allow all manner of
poorly defined and probably unwanted behaviours to take place,
additionally we may end up passing nasty traffic to back end systems
that cannot handle it well (and are expecting the front end machines
to sanitize the traffic).

So to this end I am assigning CVE-2012-4444 (been saving it, it's easy
to remember =) for "failure to implement RFC5722 properly, allowing
overlapping fragmented IPv6 packets to be processed or passed to other
systems resulting in all sorts of potential unknown badness with
unknown consequences". It looks like more than just Linux is affected,
so if you know of other systems that are affected by this please reply
to this thread so we have a list.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQnLuTAAoJEBYNRVNeJnmTN3wP/28+RpDqy+LOh9cvInOhPUpo
LROLLXnPsSo12L/QD+SUch9BWrky/tb9k4wZNilt4E4ANIPYxLHlCpGPA5CzTnMP
DfZ01VK4LCM1PLJXXmnkeltGS+TKKQg2eb5gKT8CcCpaJggnnLAmvpByykglSd48
xESLbirwK4ZADhnXo01OjZUgHH+osh+0xrXKUmAEV3vs79Tiv2W26/wFIlFP9zbJ
bsI2XyyycvC2O7YErh5Hf3OuQCZd9xBWr7oe0Y7IHN6WSzlZOuwvLoXqqp8f+kss
aRRKUIrqnARvEH6kCMDx87hbitI1ChwD/EChPzZPJuS4LYiVjwEysot1hS+3L7rv
+49mazvMHinJumCnlmktpBRQEgP0qFYEf3QATTRAJhwDEsE1w/QyNbw1KSiDQHEk
k3rbRmoUNs0akLFhkMJwslVPQAUZvfBueH2pk68ssKrXVMaWtE/wpkAHD3+yZpWK
BbaxAerbYrc+2DgjPoAvwZEaGfp9S78u9IukabdxaaMPkXlhRptiJJf1yFgw95PV
3h1ceptHrxG2V+dPA94Bxah/QT0qFj/UkaNoOsyETDU7YUZ87w77QsF9QfFJ7Tj1
OcabyWtXkCvbZbveCybD+knxwQhZW0rdee6lWimi5L8Org2rZwnRNi2pHrcQ/ZuN
U6wk/FHC3M/YcuBu6ZJZ
=tcuu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ