Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 7 Apr 2015 07:20:40 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: ljungmark@...io.se, cve-assign@...re.org
Subject: Re: Re: CVE Request : IPv6 Hop limit lowering via RA
 messages

Hi,

This is CERT VU#711516.

(The IPv6 gurus might disagree on CVE worthyness .. Rogue L2 nodes
 in a IPv6 network can do more damage even.)

Ciao, Marcus
On Sat, Apr 04, 2015 at 03:27:49AM -0400, cve-assign@...re.org wrote:
> > An unprivileged user on a local network can use IPv6 Neighbour
> > Discovery ICMP to broadcast a non-route with a low hop limit, this
> > causing machines to lower the hop limit on existing IPv6 routes.
> 
> > Projects impacted:  Linux kernel,  NetworkManager, FreeBSD Kernel
> 
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6fd99094de2b83d1d4c8457f2c83483b2828e75a
> 
> Use CVE-2015-2922 for the Linux kernel vulnerability.
> 
> 
> > https://lists.freebsd.org/pipermail/freebsd-net/2015-April/041934.html
> 
> Use CVE-2015-2923 for the FreeBSD vulnerability.
> 
> 
> > ,  NetworkManager
> 
> This might refer to
> http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/src/rdisc/nm-lndp-rdisc.c
> 
>   hop_limit = ndp_msgra_curhoplimit (msgra);
>   if (rdisc->hop_limit != hop_limit) {
>           rdisc->hop_limit = hop_limit;
>           changed |= NM_RDISC_CONFIG_HOP_LIMIT;
> 
> however, the MITRE CVE team is not directly familiar with this part of
> the NetworkManager code and has not researched any changes to the
> "rdisc->hop_limit != hop_limit" test. There is apparently no commit
> available yet at:
> 
>   http://cgit.freedesktop.org/NetworkManager/NetworkManager/log/src/rdisc/nm-lndp-rdisc.c
> 
> but, again, we don't know whether changes would need to occur there.
> 
> Use CVE-2015-2924 for the NetworkManager vulnerability.
> 
> 
> Also, note that
> 
>   http://patchwork.ozlabs.org/patch/453995/
> 
> refers to affected closed-source products. (CVE IDs for closed-source
> products would be announced elsewhere.) It also refers to Android. We
> don't know whether Android was listed only because of a
> shared-codebase issue, e.g.,
> 
>   https://android.googlesource.com/kernel/common/+/android-3.18/net/ipv6/ndisc.c
> 
> (there is no commit at
> https://android.googlesource.com/kernel/common/+log/android-3.18/net/ipv6/ndisc.c
> currently)
> 
> or whether Android is affected in other ways. Unless there is
> incorrect hop_limit processing in code that is specific to Android,
> Android would not have a unique CVE ID.
> 
> -- 
> CVE assignment team, MITRE CVE Numbering Authority
> M/S M300
> 202 Burlington Road, Bedford, MA 01730 USA
> [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ