Bug 1329366 – CVE-2016-3698 libndp: denial of service due to insufficient validation of source of NDP messages

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1329366 - (CVE-2016-3698) CVE-2016-3698 libndp: denial of service due to insufficient validation of source of NDP messages

Summary:	CVE-2016-3698 libndp: denial of service due to insufficient validation of sou...

Status:	RELEASE_PENDING

Aliases:	CVE-2016-3698

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:	Vladimir Benes
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20160517,repor...
Keywords:	Security

Depends On:	1333797 1333799 1336719
Blocks:	1329557
	Show dependency tree / graph

Reported:	2016-04-21 14:28 EDT by Lubomir Rintel
Modified:	2016-11-08 10:59 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that libndp did not properly validate and check the origin of Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network could use this flaw to advertise a node as a router, allowing them to perform man-in-the-middle attacks on a connecting client, or disrupt the network connectivity of that client.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Patch 1/2 (3.54 KB, text/plain) 2016-04-21 14:29 EDT, Lubomir Rintel	no flags	Details
Patch 2/2 (2.07 KB, text/plain) 2016-04-21 14:29 EDT, Lubomir Rintel	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1086	normal	SHIPPED_LIVE	Moderate: libndp security update	2016-05-17 11:13:34 EDT

Groups: None (edit)

Description Lubomir Rintel 2016-04-21 14:28:43 EDT

A report from e-mail:

> -------- Forwarded Message --------
> From: Julien BERNARD <julien.bernard@viagenie.ca>
> To: Dan Williams <dcbw@redhat.com>, Tambet Ingo <tambet@gmail.com>
> Cc: secalert@redhat.com, Viagénie Engineering <eng@viagenie.ca>
> Subject: Security issue with IPv6 on NetworkManager
> Date: Wed, 20 Apr 2016 12:56:36 -0400
>
> Hi,
>
> We didn't want to report this in the bug tracker regarding the security
> implications.
>
> We believe that NetworkManager accepts and process Router
> Advertisements
> with Hop Limit lesser than 255 allowing any node that is not on the
> local link to advertise as a router.
> This can be used to perform DoS attacks or to intercept/modify traffic
> of hosts outside of the local link.
>
> This was tested on lab and we managed to reproduce it at any time.
> Looking at the source code, checking the hop-limit value in the
> receive_ra function  in src/rdisc/nm-lndp-rdisc.c file should resolve
> the issue.
>
> See RFC4861 §6.1.2 Validation of Router Advertisement Messages and §11
> for Security Considerations section.
>
>
> Best regards,
>
> Julien Bernard

I belive the bug is actually a bug in libndp, not NetworkManager. However, it affects NetworkManager >= 1.0; that is all supported versions of Fedora and RHEL-7 (RHEL-6 is not affected, since NM doesn't do IPv6 RA in userspace there).

We've added additional flaw that libndp doesn't validate that the source address of the RA messages is a link-local address, making it easier to exploit this.

The issue is not public and we probably need to coordinate the disclosure.

Comment 1 Lubomir Rintel 2016-04-21 14:29 EDT

Created attachment 1149527 [details]
Patch 1/2

Comment 2 Lubomir Rintel 2016-04-21 14:29 EDT

Created attachment 1149528 [details]
Patch 2/2

Comment 3 Dan Williams 2016-04-21 14:44:00 EDT

Could the security response team get a CVE for this so we can more easily coordinate the fixes with other distros?

Comment 4 Adam Mariš 2016-04-22 05:00:20 EDT

(In reply to Dan Williams from comment #3)
> Could the security response team get a CVE for this so we can more easily
> coordinate the fixes with other distros?

CVE-2016-3698

Comment 7 Cedric Buissart 2016-05-06 10:38:22 EDT

Acknowledgments:

Name: Julien Bernard (Viagénie)

Comment 11 Cedric Buissart 2016-05-17 06:07:56 EDT

Created libndp tracking bugs for this issue:

Affects: fedora-all [bug 1336719]

Comment 12 Cedric Buissart 2016-05-17 06:08:03 EDT

Unembargoing, based on public date

Comment 13 errata-xmlrpc 2016-05-17 07:13:50 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1086 https://rhn.redhat.com/errata/RHSA-2016-1086.html

Comment 14 Cedric Buissart 2016-05-17 09:11:52 EDT

Upstream commits :
 -  libndp: validate the IPv6 hop limit 
https://github.com/jpirko/libndp/commit/a4892df306e0532487f1634ba6d4c6d4bb381c7f

 -  libndb: reject redirect and router advertisements from non-link-local 
https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d4029115839

Note You need to log in before you can comment on or make changes to this bug.