Bug 1192132 (CVE-2015-0272) - CVE-2015-0272 NetworkManager: remote DoS using IPv6 RA with bogus MTU
Summary: CVE-2015-0272 NetworkManager: remote DoS using IPv6 RA with bogus MTU
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0272
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1183051 1260931
Blocks: 1192133 1210268
TreeView+ depends on / blocked
 
Reported: 2015-02-12 16:41 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:28 UTC (History)
44 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs (Router Advertisements), without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of service attack, by sending a specially crafted IPv6 RA packet to disturb IPv6 communication.
Clone Of:
Environment:
Last Closed: 2017-06-27 08:17:56 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2315 0 normal SHIPPED_LIVE Moderate: NetworkManager security, bug fix, and enhancement update 2015-11-19 10:06:58 UTC

Description Vasyl Kaigorodov 2015-02-12 16:41:03 UTC
It was reported [1] that it's possible to craft a Router Advertisement message which will bring the receiver in a state where new IPv6 connections will not be accepted until correct Router Advertisement message received.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1183051#c3

Comment 1 Salvatore Bonaccorso 2015-09-03 06:22:17 UTC
Hi Vasyl

The referenced other report seems restricted. Is there any more information you can share on CVE-2015-0272 (e.g. affected versions, fixing commit)?

Regards,
Salvatore

Comment 3 Stefan Cornelius 2015-09-08 09:06:47 UTC
Created NetworkManager tracking bugs for this issue:

Affects: fedora-all [bug 1260931]

Comment 4 Stefan Cornelius 2015-09-08 09:36:21 UTC
It was discovered that NetworkManager would set device MTUs based on the MTU values received in IPv6 RAs (Router Advertisements), without checking the MTU value for sanity first. A remote attacker could exploit this attack to disturb IPv6 communication by sending a specially crafted IPv6 RA packet.

NetworkManager patch:
http://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d5fc88e573fa58b93034b04d35a2454f5d28cad9

There's also a patch for the kernel to harden against invalid MTUs (the file to set the MTU is root owned, though):
http://article.gmane.org/gmane.linux.network/351269

Comment 6 errata-xmlrpc 2015-11-19 11:00:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2315 https://rhn.redhat.com/errata/RHSA-2015-2315.html


Note You need to log in before you can comment on or make changes to this bug.