Bug 1192132 (CVE-2015-0272)

Summary: CVE-2015-0272 NetworkManager: remote DoS using IPv6 RA with bogus MTU
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, carnil, ccoleman, danw, dcbw, dhoward, dmcphers, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jialiu, joelsmith, jokerman, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kseifried, lkundrak, lmeyer, lwang, madhu.chinakonda, matt, mchehab, mcressma, mguzik, mmccomas, mrg-program-list, nmurray, plougher, rkhan, rvrbovsk, security-response-team, slawomir, slong, thaller, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs (Router Advertisements), without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of service attack, by sending a specially crafted IPv6 RA packet to disturb IPv6 communication.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-27 08:17:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1183051, 1260931    
Bug Blocks: 1192133, 1210268    

Description Vasyl Kaigorodov 2015-02-12 16:41:03 UTC 
It was reported [1] that it's possible to craft a Router Advertisement message which will bring the receiver in a state where new IPv6 connections will not be accepted until correct Router Advertisement message received.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1183051#c3
Comment 1 Salvatore Bonaccorso 2015-09-03 06:22:17 UTC 
Hi Vasyl

The referenced other report seems restricted. Is there any more information you can share on CVE-2015-0272 (e.g. affected versions, fixing commit)?

Regards,
Salvatore
Comment 3 Stefan Cornelius 2015-09-08 09:06:47 UTC 
Created NetworkManager tracking bugs for this issue:

Affects: fedora-all [bug 1260931]
Comment 4 Stefan Cornelius 2015-09-08 09:36:21 UTC 
It was discovered that NetworkManager would set device MTUs based on the MTU values received in IPv6 RAs (Router Advertisements), without checking the MTU value for sanity first. A remote attacker could exploit this attack to disturb IPv6 communication by sending a specially crafted IPv6 RA packet.

NetworkManager patch:
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d5fc88e573fa58b93034b04d35a2454f5d28cad9

There's also a patch for the kernel to harden against invalid MTUs (the file to set the MTU is root owned, though):
http://article.gmane.org/gmane.linux.network/351269
Comment 6 errata-xmlrpc 2015-11-19 11:00:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2315 https://rhn.redhat.com/errata/RHSA-2015-2315.html