Page MenuHomeFreeBSD
Differential D13719

Fix CVE-2010-4670, CVE-2010-4671, CVE-2010-4669, CVE-2011-2393
AbandonedPublic
Actions

Authored by cy on Dec 31 2017, 9:44 PM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 20 2023, 6:48 AM
Unknown Object (File)
Dec 7 2023, 8:57 AM
Unknown Object (File)
Aug 21 2023, 9:58 AM
Unknown Object (File)
Jul 15 2023, 4:34 PM
Unknown Object (File)
Jun 26 2023, 12:25 PM
Unknown Object (File)
Jun 26 2023, 9:20 AM
Unknown Object (File)
May 4 2023, 3:51 PM
Subscribers
None

Details

Reviewers
ae
bz
tuexen
adrian
rwatson
kib
jhb
imp
glebius
markj
melifaro
feld
Group Reviewers
secteam
Summary

I've cobbled together a patch to address an IPv6 RA flood attack affecting
FreeBSD. An acquaintance I meet for coffee at the Victoria Linux Users
Group has sent the forwarded email below describing the problem and my
reply. Having Googled the problem, it was announced here:

http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt

Our nmap port offers a script to test/exploit the issue documented here:

https://nmap.org/nsedoc/scripts/ipv6-ra-flood.html

This patch addresses the issue but considering I don't know the
IPv6 router code as well as I should, this will need special attention to get it completely right.

I can forward the original email sent to me last week disclosing the problem however the URLs above are probably sufficient.

If someone else wants to take this over, that will be fine too.

Test Plan

Currently builds ok and has been tested on my local network. DoS is resolved.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 14014

Event Timeline

cy created this revision.Dec 31 2017, 9:44 PM
ae added a comment.Jan 3 2018, 12:31 PM

Can you please update the diff according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

ae added reviewers: markj, melifaro.Jan 3 2018, 1:04 PM
cy added a reviewer: feld.Jan 3 2018, 2:12 PM
markj added a comment.Jan 4 2018, 3:19 PM
In D13719#287678, @ae wrote:

Can you please update the diff according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

+1. It's useful to be able to expand the surrounding code.

markj added inline comments.Jan 4 2018, 3:56 PM
sys/netinet6/nd6.h
383

I think this counter belongs in struct icmp6stat, and netstat should be updated to print it. Was there a specific reason for doing it this way?

sys/netinet6/nd6_rtr.c
151

Why is this check needed? We won't add a route upon receipt of an RS message; nd6_cache_lladdr() will only update the neighbour cache.

254

This isn't the right place to check. Not every RA will result in the addition of a new route: we might be updating a known prefix to cause it to expire, for example.

1192

Don't we only want to count this if dr != NULL, i.e., a router advertised this prefix? With your change I think we'll bump numroutes when configuring an address manually, but we won't decrement it when removing the address since we only perform the decrement when releasing references to advertising routers.

cy abandoned this revision.Jan 5 2018, 2:10 AM
cy marked an inline comment as done.

Sorry for taking so long, just got back to looking at this today.

ae@ suggested I look at PR 157410. It's a much more elegant solution than I have created. Let's abandon this and work on PR 157410 instead.

sys/netinet6/nd6_rtr.c
151

My mistake.

cy marked an inline comment as done.Jan 5 2018, 2:27 AM

Apologies for wasting everyone's time. I should have checked bugzilla first or posted a question if anyone was working on this.

Revision Contents
Changeset List

PathSize
sys/
netinet6/
6 lines
20 lines
2 lines
2 lines
4 lines
48 lines

Diff 37331

View Options

sys/netinet6/in6.h

Loading...
View Options

sys/netinet6/in6_proto.c

Loading...
View Options

sys/netinet6/ip6_input.c

Loading...
View Options

sys/netinet6/ip6_var.h

Loading...
View Options

sys/netinet6/nd6.h

Loading...
View Options

sys/netinet6/nd6_rtr.c

Loading...