what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ICMPv6 Router Announcement Flooding Denial Of Service

ICMPv6 Router Announcement Flooding Denial Of Service
Posted Apr 6, 2011
Authored by van Hauser

An ICMPv6 router announcement flooding denial of service vulnerability affects multiple systems including Cisco, Juniper, Microsoft, and FreeBSD. Cisco has addressed the issue but Microsoft has decided to ignore it.

tags | advisory, denial of service
systems | cisco, freebsd, juniper
advisories | CVE-2010-4670, CVE-2010-4671, CVE-2010-4669
SHA-256 | b678a0b413550ec37fd50aa3338c0642a3b7f81dcdd9c330b6d7ffb73e786564

ICMPv6 Router Announcement Flooding Denial Of Service

Change Mirror Download
This security advisory is released because Microsoft doesnt want to fix
the issue. Cisco did for its IOS and ASA within 3 months.


________________________________________________________________________

Title: ICMPv6 Router Announcement flooding denial of service affecting
multiple systems
Date: 05 April 2011
URL: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt

________________________________________________________________________

Vendors: Cisco, Juniper, Microsoft, FreeBSD
Affected Products: All Cisco IOS ASA with firmware < November 2010
All Netscreen versions
All Windows versions
All FreeBSD version
Vulnerability: ICMPv6 Router Announcement flooding denial of service
Severity: 7.8 (CVE CVSS Score), local network
CVEs: CVE-2010-4670, CVE-2010-4671, CVE-2010-4669

________________________________________________________________________

Update Section:

05 April 2011
Initial release

________________________________________________________________________

Overview:

When flooding the local network with random router advertisements,
hosts and routers update the network information, consuming all
available CPU resources, making the systems unusable and unresponsive.
As IPv6 and autoconfiguration are enabled by default, all are
affected in their default configuration.
For Windows, a personal firewall or similar security product does not
protect against this attack.

Note: Microsoft does not want to fix this security issue for their
products.


Impact:

Updating the routing tables and configuring IPv6 addresses take up
all available CPU resources.
Routers and firewalls do not forward traffic.

The denial of service is in affect until the flooding is terminated.

The exact impact differs from the affected system type:
Cisco: 100% traffic loss with autconfiguration active, 80% without.
Netscreen: Only affected when the interface is configured as host, traffic
is forwarded until the neighbor information times out, then the traffic
is lost
Windows: 100% CPU, 100% RAM
FreeBSD: 100% CPU, additionally IPv6 support can be lost until reboot
occasionally.
Old Linux kernels are also affected, detailed version information unknown.


Description:

On IPv6 networks, hosts automatically find out about available
routers via ICMPv6 router announcements which are sent by the
routers. Additionally, router announcemens are used to replace
DHCP by the so called autoconfiguration feature.

Windows and FreeBSD - like all modern operating systems - enable
IPv6 and autoconfiguration by default and are thereby vulnerable.
A personal firewall will not protect against this attack.

If a system receives a router announcement of a new router, it
updates its routing table with the new router, and if the
autoconfiguration flag is set on the announcement (and the host
is configured to configure its IPv6 address by this mechanism),
the host chooses an IPv6 address from the announced network space.

If a network is flooded with random router announcements, systems
scramble to update their routing tables and configure IPv6
addresses.


Exploit:

Flood the network with router advertisements coming from different
routers and announcing different network prefixes.

A tool to test for this vulnerability is included in the thc-ipv6
package, called flood_router6.


Solution:

Cisco: IOS fix CSCti24526 , ASA fix CSCti33534
Linux: fixed prior 2010
Netscreen: Juniper waiting for IETF results for how to fix the issue
FreeBSD: unknown
Windows: Microsoft made clear that they do not plan to issue a
fix for this security issue.


Workaround:

The procession of router announcements must be disabled.
Please consult your system manual on how to this for your
affected platform.
Alternatively, disable IPv6.


________________________________________________________________________

Vendor communication:

10 July 2010 Microsoft informed

10 July 2010 Cisco informed

01 August 2010 Cisco confirms problem, announces fix for October

12 August 2010 Microsoft confirms vulnerability, states no fix
will be supplied.

22 November 2010 Cisco confirms fixes are available and started to
be deployed in current firmwares

28 December 2010 vendor-sec informed (among other issues)

05 February 2011 FreeBSD informed (made aware via vendor-sec 5 weeks
before)

20 February 2011 Juniper informed

09 March 2011 Juniper confirms problem

01 April 2011 Juniper informs that they work with the IETF to
develop a standard method to cope with this and
similar attacks.

________________________________________________________________________

Contact:

Marc Heuse
mh@mh-sec.de
http://www.mh-sec.de

________________________________________________________________________

The information provided is released "as is" without warranty of
any kind. The publisher disclaims all warranties, either express or
implied, including all warranties of merchantability.
No responsibility is taken for the correctness of this information.
In no event shall the publisher be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if the publisher has been
advised of the possibility of such damages.

The contents of this advisory is copyright (c) 2010,2011 by Marc Heuse
and may be distributed freely provided that no fee is charged for
the distribution and proper credit is given.

________________________________________________________________________

--
Marc Heuse
www.mh-sec.de

PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close