Bug 723429 - (CVE-2011-2699) CVE-2011-2699 kernel: ipv6: make fragment identifications less predictable
CVE-2011-2699 kernel: ipv6: make fragment identifications less predictable
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 723430 723431 723432 723433 723434 748667 761356 773543
Blocks: 717530
  Show dependency treegraph
Reported: 2011-07-20 02:54 EDT by Eugene Teo (Security Response)
Modified: 2016-02-15 07:15 EST (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-10 04:13:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2011-07-20 02:54:53 EDT
IPv6 fragment identification generation is way beyond what we use for IPv4 : It uses a single generator. Its not scalable and allows DOS attacks.

Now inetpeer is IPv6 aware, we can use it to provide a more secure and scalable frag ident generator (per destination, instead of system wide)

This patch :
1) defines a new secure_ipv6_id() helper
2) extends inet_getid() to provide 32bit results
3) extends ipv6_select_ident() with a new dest parameter



Red Hat would like to thank Fernando Gont for reporting this issue.
Comment 7 Petr Matousek 2011-07-20 06:06:47 EDT

This issue did not affect the Linux kernel as shipped with Red Hat Enterprise MRG as it has backported the fix that addresses this issue. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates. This has been addressed in Red Hat Enterprise Linux 5 and 6 via https://rhn.redhat.com/errata/RHSA-2011-1386.html and https://rhn.redhat.com/errata/RHSA-2011-1465.html.
Comment 9 Eugene Teo (Security Response) 2011-07-26 05:00:50 EDT
Upstream commit:
Comment 11 Eugene Teo (Security Response) 2011-08-24 01:11:11 EDT
(In reply to comment #9)
> Upstream commit:
> http://git.kernel.org/linus/87c48fa3b4630905f98268dde838ee43626a060c

I believe this is the one we want to backport; http://permalink.gmane.org/gmane.linux.kernel.stable/16086
Comment 16 errata-xmlrpc 2011-10-20 13:28:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1386 https://rhn.redhat.com/errata/RHSA-2011-1386.html
Comment 17 Eugene Teo (Security Response) 2011-10-24 23:33:26 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748667]
Comment 19 errata-xmlrpc 2011-11-22 11:49:44 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html
Comment 22 errata-xmlrpc 2012-03-06 12:43:31 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:0358 https://rhn.redhat.com/errata/RHSA-2012-0358.html

Note You need to log in before you can comment on or make changes to this bug.