Tuesday, March 13, 2007

Preview of IPv6 Problems

I recommend reading this advisory from Core Security:

The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:

1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;

2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)

The issue can be triggered by sending a specially crafted IPv6 fragmented packet...

OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration...

[I]n order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -- in which case the attacking system does not need to have a working IPv6 stack -- or the ability to route or tunnel IPv6 packets to the target from a remote network.


I'm not posting this story to criticize OpenBSD. I'd like to use it as a preview of problems we're going to see in all operating systems as security researchers (of the above- and underground variety) scrutinize IPv6 stacks. TCP/IP stack vulnerabilities can be a real problem because the main defense is patching. Sometimes you can filter odd packets before they hit vulnerable stacks, but what do you do if your filtering device is also vulnerable? There are no "unnecessary services" to disable, unless you choose not to run IPv6.

For my previous thoughts on IPv6 I recommend reading this post. From what I hear managers and CIOs in .gov, .mil, and elsewhere mostly think IPv6 brings "security" and other goodies; they are clearly not clued in to the problems on the horizon.

Update: Thanks to Shirkdog for prompting me to see if FreeBSD shares the same code. You can use Robert Watson's Kernel Cross Reference to see a comparison of OpenBSD HEAD and FreeBSD RELENG6. I'll leave it to the experts to decide if the problem exists in FreeBSD too. I'm worried because the BSDs all use the same KAME IPv6 code.

7 comments:

Jordan said...

The OpenBSD folks seem to think it's not. From the Core advisory:

2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD...

Pete said...

Basically IPv6 adoption if it ever happens en masse is a new set of state machines that haven't been fully vetted by years of abuse. So with the new state machines both new and old problems arise. Expect pain.

Matt Franz said...

Although it's not cool (and too easy be wrong) to say things won't be that bad, I would expect the pain to be far less than IPv4. Sure there will be bugs, I would predict to be much less than what we saw in the late 90s. There are already some hits in the CVE for IPv6 and there are probably a lot more bugs that have been silently found and fixed. Plus the big vendors with IPv6 kit are not as stupid as they often look and are likely to have weeded out the low-hanging fruit with stuff like Codenomicon.

Chris_B said...

I'm betting with Pete on this. I'll go one further and say that well be facing problems with IPV6 implementations at the same time as we deal with todays "layer 7" issues.

Shirkdog said...
This comment has been removed by the author.
Shirkdog said...

More useful post :-)

An initial analysis points to FreeBSD having a different implementation.

http://permalink.gmane.org/gmane.os.freebsd.security.general/8468

Richard Bejtlich said...

http://www.renesys.com/blog/2006/03/bashing_ipv6_at_telecomnext.shtml