diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-08:10.nd6.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-08:10.nd6.asc | 145 |
1 files changed, 0 insertions, 145 deletions
diff --git a/share/security/advisories/FreeBSD-SA-08:10.nd6.asc b/share/security/advisories/FreeBSD-SA-08:10.nd6.asc deleted file mode 100644 index 19945b1592..0000000000 --- a/share/security/advisories/FreeBSD-SA-08:10.nd6.asc +++ /dev/null @@ -1,145 +0,0 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -============================================================================= -FreeBSD-SA-08:10.nd6 Security Advisory - The FreeBSD Project - -Topic: IPv6 Neighbor Discovery Protocol routing vulnerability - -Category: core -Module: sys_netinet6 -Announced: 2008-10-01 -Credits: David Miles -Affects: All supported versions of FreeBSD. -Corrected: 2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE) - 2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5) - 2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE) - 2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5) -CVE Name: CVE-2008-2476 - -For general information regarding FreeBSD Security Advisories, -including descriptions of the fields above, security branches, and the -following sections, please visit <URL:http://security.FreeBSD.org/>. - -I. Background - -IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer -address of other nodes, find routers, and maintain reachability information. -The Neighbor Discovery protocol uses Neighbor Solicitation (ICMPv6 type 135) -to query target nodes for their link-layer addresses. - -II. Problem Description - -IPv6 routers may allow "on-link" IPv6 nodes to create and update the -router's neighbor cache and forwarding information. A malicious IPv6 node -sharing a common router but on a different physical segment from another -node may be able to spoof Neighbor Discovery messages, allowing it to update -router information for the victim node. - -III. Impact - -An attacker on a different physical network connected to the same IPv6 -router as another node could redirect IPv6 traffic intended for that node. -This could lead to denial of service or improper access to private network -traffic. - -IV. Workaround - -Firewall packet filters can be used to filter incoming Neighbor -Solicitation messages but may interfere with normal IPv6 operation if not -configured carefully. - -Reverse path forwarding checks could be used to make gateways, such as -routers or firewalls, drop Neighbor Solicitation messages from -nodes with unexpected source addresses on a particular interface. - -IPv6 router administrators are encouraged to read RFC 3756 for further -discussion of Neighbor Discovery security implications. - -V. Solution - -NOTE WELL: The solution described below causes IPv6 Neighbor Discovery -Neighbor Solicitation messages from non-neighbors to be ignored. -This can be re-enabled if required by setting the newly added -net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value. - -Perform one of the following: - -1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the -RELENG_7_0, or RELENG_6_3 security branch dated after the correction -date. - -2) To patch your present system: - -The following patches have been verified to apply to FreeBSD 6.3 and -7.0 systems. - -a) Download the relevant patch from the location below, and verify the -detached PGP signature using your PGP utility. - -[FreeBSD 6.3] -# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch -# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc - -[FreeBSD 7.0] -# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch -# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc - -b) Apply the patch. - -# cd /usr/src -# patch < /path/to/patch - -c) Recompile your kernel as described in -<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the -system. - -VI. Correction details - -The following list contains the revision numbers of each file that was -corrected in FreeBSD. - -Branch Revision - Path -- ------------------------------------------------------------------------- -RELENG_6 - src/sys/netinet6/in6.h 1.36.2.10 - src/sys/netinet6/in6_proto.c 1.32.2.10 - src/sys/netinet6/nd6.h 1.19.2.4 - src/sys/netinet6/nd6_nbr.c 1.29.2.11 -RELENG_6_3 - src/UPDATING 1.416.2.37.2.10 - src/sys/conf/newvers.sh 1.69.2.15.2.9 - src/sys/netinet6/in6.h 1.36.2.8.2.1 - src/sys/netinet6/in6_proto.c 1.32.2.8.2.1 - src/sys/netinet6/nd6.h 1.19.2.2.6.1 - src/sys/netinet6/nd6_nbr.c 1.29.2.9.2.1 -RELENG_7 - src/sys/netinet6/in6.h 1.51.2.2 - src/sys/netinet6/in6_proto.c 1.46.2.3 - src/sys/netinet6/nd6.h 1.21.2.2 - src/sys/netinet6/nd6_nbr.c 1.47.2.3 -RELENG_7_0 - src/UPDATING 1.507.2.3.2.9 - src/sys/conf/newvers.sh 1.72.2.5.2.9 - src/sys/netinet6/in6.h 1.51.4.1 - src/sys/netinet6/in6_proto.c 1.46.4.1 - src/sys/netinet6/nd6.h 1.21.4.1 - src/sys/netinet6/nd6_nbr.c 1.47.4.1 -- ------------------------------------------------------------------------- - -VII. References - -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476 -http://www.kb.cert.org/vuls/id/472363 - -The latest revision of this advisory is available at -http://security.FreeBSD.org/advisories/FreeBSD-SA-08:10.nd6.asc ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (FreeBSD) - -iEYEARECAAYFAkjkF2cACgkQFdaIBMps37KWWgCZAfug94zPIdkzW0tdIdSDzH/0 -j18AnjypvJrRtzeQqhJkRU9wQWozgWvj -=ieTi ------END PGP SIGNATURE----- |