Paul Jakma
2017-01-29 13:55:16 UTC
Hi,
I have no idea why the CVE for the IPv6 SLAAC/Router-Adv was never
published. It's not even clear to me how this CVE was assigned. Despite
enquiries to one or two places. For the record (as it pertains to
Quagga):
- --------------------------------------------------------------------------
Quagga Buffer Overflow in IPv6 RA handling
A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Posting date:
Oct 17, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbour-discovery on any
interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or
no IPv6 neighbour-discovery are not affected.
Versions affected:
- Quagga versions running on Linux prior to Quagga 1.0.20161017
are not affected.
Versions not affected:
- All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size. This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.
For the exploit to work, the Quagga instance needs to be reachable over
IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbour Discovery turned off (see
workaround), which is the default state.
Note: the neighbour discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).
The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g. only running 'bgpd') are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited. Otherwise, the bug may allow arbitrary code execution by a
remote attacker.
Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged. On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
CAP_SYS_ADMIN.
Workarounds:
Disable IPv6 neighbour discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces). Make sure to have it
disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code
exists.
Fixed Versions:
Quagga 1.0.20161017
Solution:
Upgrade to Quagga 1.0.20161017 or later, or apply the relevant commits to
the Quagga 1.0.20161017 release. Quagga can be downloaded from the
following location:
http://www.nongnu.org/quagga/
The git source code can be accessed via:
http://code.quagga.net/
Acknowledgments:
The issue was uncovered by David Lamparter.
References:
* Questions regarding this advisory should go to
***@quagga.net
regards,
- --
Paul Jakma | ***@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
it has Intel Inside
I have no idea why the CVE for the IPv6 SLAAC/Router-Adv was never
published. It's not even clear to me how this CVE was assigned. Despite
enquiries to one or two places. For the record (as it pertains to
Quagga):
- --------------------------------------------------------------------------
Quagga Buffer Overflow in IPv6 RA handling
A buffer overflow exists in the IPv6 (Router Advertisement) code in
Zebra. The issue can be triggered on an IPv6 address where the Quagga
daemon is reachable by a RA (Router Advertisement or IPv6 ICMP message.
The issue leads to a crash of the zebra daemon.
CVE:
CVE-2016-1245
Posting date:
Oct 17, 2016
Program Impacted:
Quagga (zebra) on Linux, with IPv6 AND IPv6 neighbour-discovery on any
interfaced enabled. Usage of Quagga without running the 'zebra' daemon, or
no IPv6 neighbour-discovery are not affected.
Versions affected:
- Quagga versions running on Linux prior to Quagga 1.0.20161017
are not affected.
Versions not affected:
- All Versions of Quagga on FreeBSD/NetBSD/OpenBSD/Solaris are not affected.
Severity:
High
Exploitable:
Remotely.
Description:
A buffer overflow exists in the IPv6 (Router Advertisement) code. The code
which handles IPv6 RA and IPv6 ICMP Router Solicitation advertisement
messages uses a wrong constant to limit its size. This does not affect *BSD
systems (FreeBSD/OpenBSD/NetBSD) or OpenSolaris, but at least all Linux
based systems.
For the exploit to work, the Quagga instance needs to be reachable over
IPv6. Any interface with IPv6 enabled can trivially allow the 'zebra'
daemon to be crashed (Denial-of-Service) via a buffer overflow. The issue
can be avoided by having the IPv6 Neighbour Discovery turned off (see
workaround), which is the default state.
Note: the neighbour discovery needs to be turned off on _ALL_ interfaces for
this to workaround to apply (not just the connected or active interfaces).
The bug is in the 'zebra' daemon (the main daemon). Deployments that do not
run the 'zebra' daemon (e.g. only running 'bgpd') are not affected.
On Linux distributions which compile Quagga with GCC -fstack-protector, the
impact may be limited to a DoS, as the GCC inserted stack-check function
epilogue should detect the overflow and safely abort the process if the bug
is exploited. Otherwise, the bug may allow arbitrary code execution by a
remote attacker.
Quagga supports running as a non-root user and with lowered privileges,
using capabilities on Linux, and this is highly encouraged. On Linux
distributions which configure Quagga to run this way, any exploit code will
be limited to a non-root environment, with 0 effective capabilities. The
acquirable capabilities are limited to CAP_NET_ADMIN, CAP_NET_RAW and
CAP_SYS_ADMIN.
Workarounds:
Disable IPv6 neighbour discovery announcements on all interfaces ("ipv6 nd
suppress-ra" configured under all interfaces). Make sure to have it
disabled on ALL interfaces.
Active exploits:
None known in the public at this time. Internal Proof-of-Concept code
exists.
Fixed Versions:
Quagga 1.0.20161017
Solution:
Upgrade to Quagga 1.0.20161017 or later, or apply the relevant commits to
the Quagga 1.0.20161017 release. Quagga can be downloaded from the
following location:
http://www.nongnu.org/quagga/
The git source code can be accessed via:
http://code.quagga.net/
Acknowledgments:
The issue was uncovered by David Lamparter.
References:
* Questions regarding this advisory should go to
***@quagga.net
regards,
- --
Paul Jakma | ***@jakma.org | @pjakma | Key ID: 0xD86BF79464A2FF6A
Fortune:
it has Intel Inside