The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


NetBSD Security Advisory 2004-002: Inconsistent IPv6 path MTU discovery handling


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 19 Feb 2004 08:36:28 -0500
From: NetBSD Security-Officer <security-officer@netbsd.org.>
To: [email protected]
Subject: NetBSD Security Advisory 2004-002: Inconsistent IPv6 path MTU discovery handling


-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2004-002

Topic: Inconsistent IPv6 path MTU discovery handling Version: NetBSD-current: source prior to February 5, 2004 netBSD 1.6.2: not affected (fixed) NetBSD 1.6.1: affected NetBSD 1.6: affected NetBSD-1.5.x: not affected Severity: Remote kernel panic could be possible Fixed: NetBSD-current: February 5, 2004 NetBSD-1.6 branch: February 9, 2004 (1.6.2 includes the fix) NetBSD-1.5 branch: not affected Abstract ======== A malicious party can cause a remote kernel panic by using ICMPv6 "too big" messages. Technical Details ================= Once a specially-crafted ICMPv6 "too big" message is sent to a victim node, a routing table entry with a small path-MTU is installed. The victim system may later experience a kernel panic (due to a kernel stack overflow) if a TCP session that uses the routing table entry is later established. For further details, see: http://www.guninski.com/obsdmtu.html Solutions and Workarounds
The default NetBSD kernels (GENERIC*) ship with IPv6 compiled in. If you are using a kernel without IPv6, your system is not affected. Kernels with the "options INET6" line removed, or commented out, from the kernel configuration file do not include IPv6. Additionally, an attacker requires IPv6 connectivity to the host to send the packets that exploit this vulnerability. Note, however, that systems without external IPv6 routed connectivity may still be exposed via LAN or similar connections, where neighbouring systems can send IPv6 packets to the node. This potentially includes shared external segments and wireless networks. The following instructions describe how to upgrade your kernel by updating your source tree and rebuilding and installing a new version of the kernel. After replacing the kernel, a reboot is necessary. * NetBSD-current: Systems running NetBSD-current dated from before 2004-02-04 should be upgraded to NetBSD-current dated 2004-02-05 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): sys/netinet sys/netinet6 To update from CVS, re-build, and re-install kernel: # cd src # cvs update -d -P sys/netinet sys/netinet6 # cd sys/arch/ARCH/conf # config KERNELCONF # cd ../../compile/KERNELCONF # make clean depend; make # mv /netbsd /netbsd.old # cp netbsd / Then perform a reboot. # reboot * NetBSD 1.6, 1.6.1: The binary distributions of NetBSD 1.6 and 1.6.1 are vulnerable. * Binary patch: Binary patches are being provided, in the form of replacement kernels built with the patches from the GENERIC kernel configuration. If you use a custom kernel configuration, these may not be suitable for you. NOTE: The same kernel includes fixes for NetBSD-SA2004-002 and NetBSD-SA2004-004. If you already updated for 2004-004, you do not need to perform these steps again. To apply the binary patch, perform the following steps, replacing ARCH with the NetBSD architecture you are running (i.e. i386): ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2004-002-kernel/netbsd-1-6/ARCH-kernel.tgz cd / && cp /path/to/ARCH-kernel.gz / gzip -d ARCH-kernel.gz The tar file will extract a new copy of: ARCH-kernel Back up your old kernel: mv netbsd netbsd.old Then either rename: mv ARCH-kernel netbsd or link, as per local site policy: ln ARCH-kernel netbsd Then, reboot. * Updating from sources: Systems running NetBSD 1.6 sources dated from before 2004-02-08 should be upgraded from NetBSD 1.6 sources dated 2004-02-09 or later. NetBSD 1.6.2 includes the fix. The following directories need to be updated from the netbsd-1-6 CVS branch: sys/netinet sys/netinet6 To update from CVS, re-build, and re-install kernel: # cd src # cvs update -d -P -r netbsd-1-6 sys/netinet sys/netinet6 # cd sys/arch/ARCH/conf # config KERNELCONF # cd ../../compile/KERNELCONF # make clean depend; make # mv /netbsd /netbsd.old # cp netbsd / Then perform a reboot. # reboot Thanks To ========= Georgi Guninski Markus Friedl Daniel Hartmeier IIJ seil team Revision History ================ 2004-02-18 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2004-002.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2004, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2004-002.txt.asc,v 1.1 2004/02/18 14:13:24 david Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (NetBSD) iQCVAwUBQDNz2D5Ru2/4N2IFAQEbcQP+MKBT8iS7hlZhQn24yIVDBo2NfkZKxBtH kUnzsFBc6kce3ekWzRGqkC0xn7OpYbx99LEZQFIwpUfVNJmVyDOYP2WMQO2AERdw lP+TRBQ2P90cF/q6RhYBpI7n3lsurehPXxgDiwYcyfgHTB7n2NxN/+2kTXwliRMz ZRsBXm/cn/g= =50/l -----END PGP SIGNATURE-----

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру