Preview of IPv6 Problems
I recommend reading this advisory from Core Security:
The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:
1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;
2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)
The issue can be triggered by sending a specially crafted IPv6 fragmented packet...
OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration...
[I]n order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -- in which case the attacking system does not need to have a working IPv6 stack -- or the ability to route or tunnel IPv6 packets to the target from a remote network.
I'm not posting this story to criticize OpenBSD. I'd like to use it as a preview of problems we're going to see in all operating systems as security researchers (of the above- and underground variety) scrutinize IPv6 stacks. TCP/IP stack vulnerabilities can be a real problem because the main defense is patching. Sometimes you can filter odd packets before they hit vulnerable stacks, but what do you do if your filtering device is also vulnerable? There are no "unnecessary services" to disable, unless you choose not to run IPv6.
For my previous thoughts on IPv6 I recommend reading this post. From what I hear managers and CIOs in .gov, .mil, and elsewhere mostly think IPv6 brings "security" and other goodies; they are clearly not clued in to the problems on the horizon.
Update: Thanks to Shirkdog for prompting me to see if FreeBSD shares the same code. You can use Robert Watson's Kernel Cross Reference to see a comparison of OpenBSD HEAD and FreeBSD RELENG6. I'll leave it to the experts to decide if the problem exists in FreeBSD too. I'm worried because the BSDs all use the same KAME IPv6 code.
The OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in:
1) Remote execution of arbitrary code at the kernel level on the vulnerable systems (complete system compromise), or;
2) Remote denial of service attacks against vulnerable systems (system crash due to a kernel panic)
The issue can be triggered by sending a specially crafted IPv6 fragmented packet...
OpenBSD systems using default installations are vulnerable because the default pre-compiled kernel binary (GENERIC) has IPv6 enabled and OpenBSD's firewall does not filter inbound IPv6 packets in its default configuration...
[I]n order to exploit a vulnerable system an attacker needs to be able to inject fragmented IPv6 packets on the target system's local network. This requires direct physical/logical access to the target's local network -- in which case the attacking system does not need to have a working IPv6 stack -- or the ability to route or tunnel IPv6 packets to the target from a remote network.
I'm not posting this story to criticize OpenBSD. I'd like to use it as a preview of problems we're going to see in all operating systems as security researchers (of the above- and underground variety) scrutinize IPv6 stacks. TCP/IP stack vulnerabilities can be a real problem because the main defense is patching. Sometimes you can filter odd packets before they hit vulnerable stacks, but what do you do if your filtering device is also vulnerable? There are no "unnecessary services" to disable, unless you choose not to run IPv6.
For my previous thoughts on IPv6 I recommend reading this post. From what I hear managers and CIOs in .gov, .mil, and elsewhere mostly think IPv6 brings "security" and other goodies; they are clearly not clued in to the problems on the horizon.
Update: Thanks to Shirkdog for prompting me to see if FreeBSD shares the same code. You can use Robert Watson's Kernel Cross Reference to see a comparison of OpenBSD HEAD and FreeBSD RELENG6. I'll leave it to the experts to decide if the problem exists in FreeBSD too. I'm worried because the BSDs all use the same KAME IPv6 code.
Comments
2007-02-26: OpenBSD team communicates that the issue is specific to OpenBSD...
An initial analysis points to FreeBSD having a different implementation.
http://permalink.gmane.org/gmane.os.freebsd.security.general/8468