[ipv6hackers] CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

Enno Rey erey at ernw.de
Sun Aug 14 20:38:51 CEST 2016 

Hi Fernando,

On Sun, Aug 14, 2016 at 08:22:06PM +0200, Fernando Gont wrote:
> On 08/10/2016 10:38 PM, Enno Rey wrote:
> > Suresh,
> > 
> > On Wed, Aug 10, 2016 at 05:52:16PM +0000, Suresh Krishnan wrote:
> >> Hi all,
> >>    I have been notified about this vulnerability and have been asked whether 
> >> this is due to an issue with the IPv6 protocol specifications. At first 
> >> glance, I have a hard time seeing how this attack is possible on any 
> >> compliant RFC4861 implementation given that the 255 Hop Limit check would 
> >> drop any remote attack packets. If someone on the 6man/v6ops mailing lists 
> >> has further info
> > 
> > some public discussion (hence no need for off-list) incl. practical testing can be found here:
> > https://www.insinuator.net/2016/05/cve-2016-1409-ipv6-ndp-dos-vulnerability-in-cisco-software/
> 
> Some comments:
> The outcome from your post is what I expected -- I'm not surprised. The
> Hop LImit validation check is to be performed by the receiving node,

correct.
actually in the post the Cisco device in question (2003:60:4010::8) *is* the receiving node. and it happily accepts ICMPv6 NA/RA/RS packets sent from far remote entities (and hence having a hop limit < 255). the point/problem is not the networks in between forwarding the packets but the final destination accepting them.





> rather than by the intermmediate devices. If you wanted to enforce it on
> intermmediate devices, you'd need to perform DPI, then the attacker
> fires packets with EHs, and then we possibly end up with the usual "drop
> all EHs, plus what I really want to drop".
> 
> My take is that the vuln is completely unrelated to NCE. since al end
> systems I know of *do* check the Hop Limit of received ND packets.

apparently not true for quite some high end C* and J* gear, as their respective advisories state/show.

best

Enno






> 
> Thanks!
> 
> Cheers,
> -- 
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> 
> 
> 
> 

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
=======================================================

More information about the Ipv6hackers mailing list