Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Apr 2015 11:54:01 +0200
From: "D.S. Ljungmark" <ljungmark@...io.se>
To: Jim Thompson <jim@...gate.com>
Cc: Eitan Adler <lists@...anadler.com>, FreeBSD Security Team <secteam@...ebsd.org>, 
	"freebsd-net@...ebsd.org" <net@...ebsd.org>, oss-security@...ts.openwall.com
Subject: Re: CVE Request : IPv6 Hop limit lowering via RA messages

On Fri, Apr 3, 2015 at 6:06 AM, Jim Thompson <jim@...gate.com> wrote:
> have you considered that there might not be a relevant patch because FreeBSD’s implementation isn’t affected?

sys/netinet6/nd6_rtr.c

    300         if (nd_ra->nd_ra_curhoplimit)
    301                 ndi->chlim = nd_ra->nd_ra_curhoplimit;

The only "OUT" in that function I see are tests for:
  Not accepting RA
  hoplimit on current packet != 255
  not link-local
  No extended ipv6 header


Based on previous testing ( early March 2015), and reading of the
source, I say that FreeBSD is vulnerable.


Regards,
  D.S. Ljungmark


>
> Jim
>
>> On Apr 2, 2015, at 9:15 PM, Eitan Adler <lists@...anadler.com> wrote:
>>
>> + FreeBSD lists since I haven't seen any relevant patches (although I
>> might have missed them).
>>
>> ---------- Forwarded message ----------
>> From: D.S. Ljungmark <ljungmark@...io.se>
>> Date: 2 April 2015 at 10:19
>> Subject: [oss-security] CVE Request : IPv6 Hop limit lowering via RA messages
>> To: oss-security@...ts.openwall.com
>>
>>
>> An unprivileged user on a local network can use IPv6 Neighbour
>> Discovery ICMP to broadcast a non-route with a low hop limit, this
>> causing machines to lower the hop limit on existing IPv6 routes.
>>
>> Linux Patch: http://www.spinics.net/lists/netdev/msg322361.html
>> Redhat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1203712
>>
>> Projects impacted:  Linux kernel,  NetworkManager, FreeBSD Kernel
>>
>>
>> Regards,
>>  D.S. Ljungmark
>>
>>
>> --
>> Eitan Adler
>> _______________________________________________
>> freebsd-net@...ebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@...ebsd.org"
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ