Page MenuHomeFreeBSD

Fix CVE-2010-4670, CVE-2010-4671, CVE-2010-4669, CVE-2011-2393
AbandonedPublic

Authored by cy on Dec 31 2017, 9:44 PM.

Details

Summary

I've cobbled together a patch to address an IPv6 RA flood attack affecting
FreeBSD. An acquaintance I meet for coffee at the Victoria Linux Users
Group has sent the forwarded email below describing the problem and my
reply. Having Googled the problem, it was announced here:

http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt

Our nmap port offers a script to test/exploit the issue documented here:

https://nmap.org/nsedoc/scripts/ipv6-ra-flood.html

This patch addresses the issue but considering I don't know the
IPv6 router code as well as I should, this will need special attention to get it completely right.

I can forward the original email sent to me last week disclosing the problem however the URLs above are probably sufficient.

If someone else wants to take this over, that will be fine too.

Test Plan

Currently builds ok and has been tested on my local network. DoS is resolved.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Lint Skipped
Unit
Unit Tests Skipped
Build Status
Buildable 14014

Event Timeline

cy created this revision.Dec 31 2017, 9:44 PM
cy added a reviewer: feld.Jan 3 2018, 2:12 PM
markj added a comment.Jan 4 2018, 3:19 PM
In D13719#287678, @ae wrote:

+1. It's useful to be able to expand the surrounding code.

markj added inline comments.Jan 4 2018, 3:56 PM
sys/netinet6/nd6.h
383

I think this counter belongs in struct icmp6stat, and netstat should be updated to print it. Was there a specific reason for doing it this way?

sys/netinet6/nd6_rtr.c
151

Why is this check needed? We won't add a route upon receipt of an RS message; nd6_cache_lladdr() will only update the neighbour cache.

254

This isn't the right place to check. Not every RA will result in the addition of a new route: we might be updating a known prefix to cause it to expire, for example.

1192

Don't we only want to count this if dr != NULL, i.e., a router advertised this prefix? With your change I think we'll bump numroutes when configuring an address manually, but we won't decrement it when removing the address since we only perform the decrement when releasing references to advertising routers.

cy abandoned this revision.Jan 5 2018, 2:10 AM
cy marked an inline comment as done.

Sorry for taking so long, just got back to looking at this today.

ae@ suggested I look at PR 157410. It's a much more elegant solution than I have created. Let's abandon this and work on PR 157410 instead.

sys/netinet6/nd6_rtr.c
151

My mistake.

cy marked an inline comment as done.Jan 5 2018, 2:27 AM

Apologies for wasting everyone's time. I should have checked bugzilla first or posted a question if anyone was working on this.