Debian Bug report logs - #684072
CVE-2011-2393

Package: kfreebsd-9; Maintainer for kfreebsd-9 is GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Mon, 6 Aug 2012 18:06:01 UTC

Severity: important

Tags: security

Forwarded to http://www.freebsd.org/cgi/query-pr.cgi?pr=158726

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#684072; Package kfreebsd-9. (Mon, 06 Aug 2012 18:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Mon, 06 Aug 2012 18:06:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-2393
Date: Mon, 06 Aug 2012 20:02:52 +0200
Package: kfreebsd-9
Severity: important
Tags: security

Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2393  

I'm not sure if there's an upstream fix in the mean time?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#684072; Package kfreebsd-9. (Fri, 31 Aug 2012 18:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Petr Salinger <Petr.Salinger@seznam.cz>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Fri, 31 Aug 2012 18:48:03 GMT) Full text and rfc822 format available.

Message #10 received at 684072@bugs.debian.org (full text, mbox):

From: Petr Salinger <Petr.Salinger@seznam.cz>
To: jmm@debian.org, 684072@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
Date: Fri, 31 Aug 2012 21:06:35 +0200 (CEST)
forwarded 684072 http://www.freebsd.org/cgi/query-pr.cgi?pr=158726
--

The description of the problem is:

  When flooding the local network with random router advertisements,
  hosts and routers update the network information, consuming all
  available CPU resources, making the systems unusable and unresponsive.

It happens only iff IPv6 autoconfiguration is enabled.
But we have only two choices

a) allow autoconfiguration and trust the network to provide correct input
   for autoconfiguration

b) disable autoconfiguration and configure interface manually

Whether autoconfiguration is enabled is controlled by sysctl.
The pristine FreeBSD have autoconfiguration disabled,
our kernel have it enabled to match Linux kernel behaviour:

kfreebsd-8 (8.0-9) unstable; urgency=low

  [ Aurelien Jarno ]
  * Default to netinet6.ip6.v6only=0 and netinet6.ip6.accept_rtadv=1
    to match the Linux kernel defaults.

 -- Aurelien Jarno <aurel32@debian.org>  Wed, 23 Jun 2010 21:31:54 +0200


What should we do ?

Petr




Set Bug forwarded-to-address to 'http://www.freebsd.org/cgi/query-pr.cgi?pr=158726'. Request was from Petr Salinger <Petr.Salinger@seznam.cz> to control@bugs.debian.org. (Fri, 31 Aug 2012 18:48:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#684072; Package kfreebsd-9. (Fri, 31 Aug 2012 19:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Fri, 31 Aug 2012 19:51:03 GMT) Full text and rfc822 format available.

Message #17 received at 684072@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: Petr Salinger <Petr.Salinger@seznam.cz>, 684072@bugs.debian.org
Cc: "debian-bsd@lists.debian.org" <debian-bsd@lists.debian.org>
Subject: Re: Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
Date: Fri, 31 Aug 2012 20:46:35 +0100
Hi Petr,

On 31/08/12 20:06, Petr Salinger wrote:
> But we have only two choices
> 
> a) allow autoconfiguration and trust the network to provide correct input
>    for autoconfiguration

These are only accepted link-locally, and if someone can flood the link
layer with bogus rtadv packets they could flood with anything and still
cause a DoS.  What really matters, I think, is that the system doesn't
crash and that _other_ network interfaces still function.

A safe, tunable limit on how many IPs/routes can be configured through
this mechanism seems sensible.

There was a patch proposed in PR/158726, which implements a _global_
limit.  But that still means bogus rtadv's received on one interface
could break autoconfiguration on another;  a per-interface limit would
be the only way to avoid that.


Unless upstream decide on a good way to patch this, we could choose to
ignore the issue (as something that must be handled by the sysadmin if
the situation arises), or:

> b) disable autoconfiguration and configure interface manually

But if someone is already relying on IPv6 autoconfiguration, changing
the default could leave their system inaccessible after a kernel update.

IPv6-only networks might also depend on this feature to perform a
network install.  If it is disabled by default, we ought to provide an
easy way to re-enable it.

And this wouldn't really fix anything anyway;  if someone needs to
enable rtadv on their system they become vulnerable to the same issue again.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#684072; Package kfreebsd-9. (Fri, 07 Sep 2012 16:33:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Fri, 07 Sep 2012 16:33:08 GMT) Full text and rfc822 format available.

Message #22 received at 684072@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Petr Salinger <Petr.Salinger@seznam.cz>
Cc: jmm@debian.org, 684072@bugs.debian.org, control@bugs.debian.org
Subject: Re: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
Date: Fri, 7 Sep 2012 18:29:30 +0200
On Fri, Aug 31, 2012 at 09:06:35PM +0200, Petr Salinger wrote:
> forwarded 684072 http://www.freebsd.org/cgi/query-pr.cgi?pr=158726
> --
>
> The description of the problem is:
>
>   When flooding the local network with random router advertisements,
>   hosts and routers update the network information, consuming all
>   available CPU resources, making the systems unusable and unresponsive.
>
> It happens only iff IPv6 autoconfiguration is enabled.
> But we have only two choices
>
> a) allow autoconfiguration and trust the network to provide correct input
>    for autoconfiguration
>
> b) disable autoconfiguration and configure interface manually
>
> Whether autoconfiguration is enabled is controlled by sysctl.
> The pristine FreeBSD have autoconfiguration disabled,
> our kernel have it enabled to match Linux kernel behaviour:
>
> kfreebsd-8 (8.0-9) unstable; urgency=low
>
>   [ Aurelien Jarno ]
>   * Default to netinet6.ip6.v6only=0 and netinet6.ip6.accept_rtadv=1
>     to match the Linux kernel defaults.
>
>  -- Aurelien Jarno <aurel32@debian.org>  Wed, 23 Jun 2010 21:31:54 +0200
>
>
> What should we do ?

What about keeping autoconfig enabled and documenting the potential danger in 
README.Debian (or somewhere similar), so that anyone concerned can disable
it locally?

Cheers,
        Moritz



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#684072; Package kfreebsd-9. (Mon, 29 Jul 2013 21:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Mon, 29 Jul 2013 21:45:05 GMT) Full text and rfc822 format available.

Message #27 received at 684072@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 684072@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
Date: Mon, 29 Jul 2013 22:40:02 +0100
On 07/09/12 17:29, Moritz Muehlenhoff wrote:
> What about keeping autoconfig enabled and documenting the potential danger in 
> README.Debian (or somewhere similar), so that anyone concerned can disable
> it locally?

It looks like we have a bigger problem than this:

I was going to simply write instructions on disabling IPv6
autoconfiguration, or how to completely disable IPv6 on an interface.
But when testing it on wheezy, it seems the necessary ifconfig flags are
not working on kfreebsd-amd64 or kfreebsd-i386, at least on 9.0 kernels:

# ifconfig xn0 ifdisabled
ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument
# ifconfig xn0 -accept_rtadv
ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument

This bug would have to be fixed in stable first.  It looks like kernel
ABI breakage, but at first glance the ioctl looks correct and data
structures the same.

There is a sysctl but by design it only sets a default for interfaces
not 'attached' yet, which is of no help here.  And changing the default
from the bootloader might not work either - a loader tunable for this
wasn't implemented until r253239 (kFreeBSD 9.2).

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Information forwarded to debian-bugs-dist@lists.debian.org, GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>:
Bug#684072; Package kfreebsd-9. (Mon, 29 Jul 2013 23:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steven Chamberlain <steven@pyro.eu.org>:
Extra info received and forwarded to list. Copy sent to GNU/kFreeBSD Maintainers <debian-bsd@lists.debian.org>. (Mon, 29 Jul 2013 23:15:08 GMT) Full text and rfc822 format available.

Message #32 received at 684072@bugs.debian.org (full text, mbox):

From: Steven Chamberlain <steven@pyro.eu.org>
To: 684072@bugs.debian.org
Subject: Re: Bug#684072: CVE-2011-2393: ICMPv6 Router Announcement flooding DoS
Date: Tue, 30 Jul 2013 00:13:28 +0100
On 29/07/13 22:40, Steven Chamberlain wrote:
> # ifconfig xn0 ifdisabled
> ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument
> # ifconfig xn0 -accept_rtadv
> ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument

Argh, that needs to be:

# ifconfig xn0 inet6 ifdisabled
# ifconfig xn0 inet6 -accept_rtadv

Then it works fine.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 09:01:15 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.