[oss-security] CVE Request : IPv6 Hop limit lowering via RA messages
loganaden at gmail.com
Fri Apr 3 09:57:04 UTC 2015
On Fri, Apr 3, 2015 at 1:54 PM, D.S. Ljungmark <ljungmark at modio.se> wrote:
> On Fri, Apr 3, 2015 at 6:06 AM, Jim Thompson <jim at netgate.com> wrote:
>> have you considered that there might not be a relevant patch because FreeBSD’s implementation isn’t affected?
> 300 if (nd_ra->nd_ra_curhoplimit)
> 301 ndi->chlim = nd_ra->nd_ra_curhoplimit;
> The only "OUT" in that function I see are tests for:
> Not accepting RA
> hoplimit on current packet != 255
> not link-local
> No extended ipv6 header
It is vulnerable. Harrison Grundy and I worked on a patch, and sent it
to secteam at .
> Based on previous testing ( early March 2015), and reading of the
> source, I say that FreeBSD is vulnerable.
> D.S. Ljungmark
>>> On Apr 2, 2015, at 9:15 PM, Eitan Adler <lists at eitanadler.com> wrote:
>>> + FreeBSD lists since I haven't seen any relevant patches (although I
>>> might have missed them).
>>> ---------- Forwarded message ----------
>>> From: D.S. Ljungmark <ljungmark at modio.se>
>>> Date: 2 April 2015 at 10:19
>>> Subject: [oss-security] CVE Request : IPv6 Hop limit lowering via RA messages
>>> To: oss-security at lists.openwall.com
>>> An unprivileged user on a local network can use IPv6 Neighbour
>>> Discovery ICMP to broadcast a non-route with a low hop limit, this
>>> causing machines to lower the hop limit on existing IPv6 routes.
>>> Linux Patch: http://www.spinics.net/lists/netdev/msg322361.html
>>> Redhat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1203712
>>> Projects impacted: Linux kernel, NetworkManager, FreeBSD Kernel
>>> D.S. Ljungmark
>>> Eitan Adler
>>> freebsd-net at freebsd.org mailing list
>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
More information about the freebsd-net