________________________________________________________________________ Title: ICMPv6 Router Announcement flooding denial of service affecting multiple systems Date: 15 April 2011 URL: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt ________________________________________________________________________ Vendors: Cisco, Juniper, Microsoft, FreeBSD, NetBSD Affected Products: All Cisco IOS ASA with firmware < November 2010 All Netscreen versions supporting IPv6 Windows 2008, 7, 2003, 2000, XP All FreeBSD versions All NetBSD versions Vulnerability: ICMPv6 Router Announcement flooding denial of service Severity: 7.8 (CVE CVSS Score), local network CVEs: CVE-2010-4670, CVE-2010-4671, CVE-2010-4669, CVE-2011-2393 ________________________________________________________________________ Update Section: 30 May 2011 NetBSD is vulnerable too, fix is in progress 15 April 2011 Juniper states they are not fixing until the IETF workgroup has a proposal on how to fix this issue. (So better buy Cisco) Clarify that FreeBSD does not have IPv6 enabled by default. Some better wording. 05 April 2011 Initial release ________________________________________________________________________ Overview: When flooding the local network with random router advertisements, hosts and routers update the network information, consuming all available CPU resources, making the systems unusable and unresponsive. As IPv6 and autoconfiguration are enabled by default (except on FreeBSD, Windows XP/2000/2003), all are affected in their default configuration. For Windows, a personal firewall or similar security product does not protect against this attack, as the default filter rules allow these packets through. Note: Microsoft does not want to fix this security issue for their products. Impact: Updating the routing tables and configuring IPv6 addresses take up all available CPU resources. Routers and firewalls do not forward traffic. The denial of service is in affect until the flooding is terminated. The exact impact differs from the affected system type: Cisco: 100% traffic loss with autconfiguration active, 80% without. Netscreen: Only affected when the interface is configured as host, traffic is forwarded until the neighbor information times out, then the traffic is lost Windows: 100% CPU, 100% RAM FreeBSD: 100% CPU, additionally IPv6 support can be lost until reboot occasionally. Old Linux kernels are also affected, detailed version information unknown. Description: On IPv6 networks, hosts automatically find out about available routers via ICMPv6 router announcements which are sent by the routers. Additionally, router announcemens are used to replace DHCP by the so called autoconfiguration feature. Windows and FreeBSD - like all modern operating systems - enable IPv6 and autoconfiguration by default and are thereby vulnerable. A personal firewall will not protect against this attack. If a system receives a router announcement of a new router, it updates its routing table with the new router, and if the autoconfiguration flag is set on the announcement (and the host is configured to configure its IPv6 address by this mechanism), the host chooses an IPv6 address from the announced network space. If a network is flooded with random router announcements, systems scramble to update their routing tables and configure IPv6 addresses. Exploit: Flood the network with router advertisements coming from different routers and announcing different network prefixes. A tool to test for this vulnerability is included in the thc-ipv6 package, called flood_router6. Solution: Cisco: IOS fix CSCti24526 , ASA fix CSCti33534 Linux: fixed prior 2010 Netscreen: Juniper waiting for IETF results for how to fix the issue FreeBSD: unknown Windows: Microsoft made clear that they do not plan to issue a fix for this security issue. Workaround: The procession of router announcements must be disabled. Please consult your system manual on how to this for your affected platform. Alternatively, disable IPv6. ________________________________________________________________________ Vendor communication: 10 July 2010 Microsoft informed 10 July 2010 Cisco informed 01 August 2010 Cisco confirms problem, announces fix for October 12 August 2010 Microsoft confirms vulnerability, states no fix will be supplied. 22 November 2010 Cisco confirms fixes are available and started to be deployed in current firmwares 28 December 2010 vendor-sec informed (among other issues) 05 February 2011 FreeBSD informed (made aware via vendor-sec 5 weeks before) 20 February 2011 Juniper informed 09 March 2011 Juniper confirms problem 01 April 2011 Juniper informs that they work with the IETF to develop a standard method to cope with this and similar attacks and will not fix the issue until then. ________________________________________________________________________ Contact: Marc Heuse mh@mh-sec.de http://www.mh-sec.de ________________________________________________________________________ The information provided is released "as is" without warranty of any kind. The publisher disclaims all warranties, either express or implied, including all warranties of merchantability. No responsibility is taken for the correctness of this information. In no event shall the publisher be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if the publisher has been advised of the possibility of such damages. The contents of this advisory is copyright (c) 2010,2011 by Marc Heuse and may be distributed freely provided that no fee is charged for the distribution and proper credit is given. ________________________________________________________________________