Bug 1329366 (CVE-2016-3698)

Summary: CVE-2016-3698 libndp: denial of service due to insufficient validation of source of NDP messages
Product: [Other] Security Response Reporter: Lubomir Rintel <lrintel>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Vladimir Benes <vbenes>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cbuissar, dcbw, lrintel, rkhan, security-response-team, vbenes
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that libndp did not properly validate and check the origin of Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network could use this flaw to advertise a node as a router, allowing them to perform man-in-the-middle attacks on a connecting client, or disrupt the network connectivity of that client.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:04:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1333797, 1333799, 1336719    
Bug Blocks: 1329557    
Attachments:
Description Flags
Patch 1/2
none
Patch 2/2 none

Description Lubomir Rintel 2016-04-21 18:28:43 UTC 
A report from e-mail:

> -------- Forwarded Message --------
> From: Julien BERNARD <julien.bernard>
> To: Dan Williams <dcbw>, Tambet Ingo <tambet>
> Cc: secalert, Viagénie Engineering <eng>
> Subject: Security issue with IPv6 on NetworkManager
> Date: Wed, 20 Apr 2016 12:56:36 -0400
>
> Hi,
>
> We didn't want to report this in the bug tracker regarding the security
> implications.
>
> We believe that NetworkManager accepts and process Router
> Advertisements
> with Hop Limit lesser than 255 allowing any node that is not on the
> local link to advertise as a router.
> This can be used to perform DoS attacks or to intercept/modify traffic
> of hosts outside of the local link.
>
> This was tested on lab and we managed to reproduce it at any time.
> Looking at the source code, checking the hop-limit value in the
> receive_ra function  in src/rdisc/nm-lndp-rdisc.c file should resolve
> the issue.
>
> See RFC4861 §6.1.2 Validation of Router Advertisement Messages and §11
> for Security Considerations section.
>
>
> Best regards,
>
> Julien Bernard

I belive the bug is actually a bug in libndp, not NetworkManager. However, it affects NetworkManager >= 1.0; that is all supported versions of Fedora and RHEL-7 (RHEL-6 is not affected, since NM doesn't do IPv6 RA in userspace there).

We've added additional flaw that libndp doesn't validate that the source address of the RA messages is a link-local address, making it easier to exploit this.

The issue is not public and we probably need to coordinate the disclosure.
Comment 1 Lubomir Rintel 2016-04-21 18:29:22 UTC 
Created attachment 1149527 [details]
Patch 1/2
Comment 2 Lubomir Rintel 2016-04-21 18:29:44 UTC 
Created attachment 1149528 [details]
Patch 2/2
Comment 3 Dan Williams 2016-04-21 18:44:00 UTC 
Could the security response team get a CVE for this so we can more easily coordinate the fixes with other distros?
Comment 4 Adam Mariš 2016-04-22 09:00:20 UTC 
(In reply to Dan Williams from comment #3)
> Could the security response team get a CVE for this so we can more easily
> coordinate the fixes with other distros?

CVE-2016-3698
Comment 7 Cedric Buissart 2016-05-06 14:38:22 UTC 
Acknowledgments:

Name: Julien Bernard (Viagénie)
Comment 11 Cedric Buissart 2016-05-17 10:07:56 UTC 
Created libndp tracking bugs for this issue:

Affects: fedora-all [bug 1336719]
Comment 12 Cedric Buissart 2016-05-17 10:08:03 UTC 
Unembargoing, based on public date
Comment 13 errata-xmlrpc 2016-05-17 11:13:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1086 https://rhn.redhat.com/errata/RHSA-2016-1086.html
Comment 14 Cedric Buissart 2016-05-17 13:11:52 UTC 
Upstream commits :
 -  libndp: validate the IPv6 hop limit 
https://github.com/jpirko/libndp/commit/a4892df306e0532487f1634ba6d4c6d4bb381c7f

 -  libndb: reject redirect and router advertisements from non-link-local 
https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d4029115839
Comment 15 Product Security DevOps Team 2019-07-12 13:04:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-3698