Bug 1203712 (CVE-2015-2922) - CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements.
Summary: CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network sta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-2922
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1208491 1208492 1208493 1208494 1208496 1208498 1209410 1209411 1210172 1210173
Blocks: 1203717
TreeView+ depends on / blocked
 
Reported: 2015-03-19 14:03 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:31 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:40:06 UTC
Embargoed:


Attachments (Terms of Use)
linux-3.18-ipv6-hop_limit.patch (898 bytes, text/plain)
2015-03-19 14:17 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1221 0 normal SHIPPED_LIVE Moderate: kernel security, bug fix, and enhancement update 2015-07-14 19:12:10 UTC
Red Hat Product Errata RHSA-2015:1534 0 normal SHIPPED_LIVE Moderate: kernel security and bug fix update 2015-08-06 06:42:13 UTC
Red Hat Product Errata RHSA-2015:1564 0 normal SHIPPED_LIVE Moderate: kernel-rt security, bug fix, and enhancement update 2015-08-05 22:49:08 UTC
Red Hat Product Errata RHSA-2015:1565 0 normal SHIPPED_LIVE Moderate: kernel-rt security, bug fix, and enhancement update 2015-08-06 00:13:24 UTC

Description Vasyl Kaigorodov 2015-03-19 14:03:03 UTC
Linux kernel built with the IPv6 networking support(CONFIG_IPV6) is vulnerable to setting its 'hop_limit' too low, via the neighbour discovery protocol. It could result in thwarting the IPv6 functionality.

An unprivileged user on a local network could use this flaw to cause DoS to a remote system.

Upstream fix:
-------------
  -> https://git.kernel.org/linus/6fd99094de2b83d1d4c8457f2c83483b2828e75a

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2015/04/04/2

Comment 1 Vasyl Kaigorodov 2015-03-19 14:17:22 UTC
Created attachment 1003851 [details]
linux-3.18-ipv6-hop_limit.patch

Comment 2 Vasyl Kaigorodov 2015-03-19 14:19:15 UTC
In the attachment there is a patch for the Linux kernel that fixes this issue.

Other suggested mitigations:
* Disallowing Router Advertisements on a Switch level (RA filtering)
* Dropping Router Advertisements that do not contain a network/route
* Dropping Router Advertisements with short hop limits (hop limit < 40 or similar)

Other interesting combinations is to send "route removal" packet (timeout = 0 )  in combination.
Reported found that it isn't necessary, but most code paths will then delete the route if it finds it, even if it's not getting the "drop route" message from the host that advertised the route.

Comment 3 Prasad Pandit 2015-04-02 11:36:44 UTC
Statement:

This issue affects the versions of the Linux kernel as shipped with
Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2. Future kernel
updates for Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2 may
address this issue.

Red Hat Enterprise Linux 5 is now in Production 3 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 5 Prasad Pandit 2015-04-02 11:46:12 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1208491]

Comment 11 Fedora Update System 2015-04-22 22:46:53 UTC
kernel-3.19.4-100.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-04-22 22:54:25 UTC
kernel-3.19.4-200.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2015-04-23 16:07:15 UTC
kernel-4.0.0-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 errata-xmlrpc 2015-07-14 15:12:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1221 https://rhn.redhat.com/errata/RHSA-2015-1221.html

Comment 15 errata-xmlrpc 2015-08-05 18:49:27 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2015:1564 https://rhn.redhat.com/errata/RHSA-2015-1564.html

Comment 16 errata-xmlrpc 2015-08-05 20:13:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1565 https://access.redhat.com/errata/RHSA-2015:1565

Comment 17 errata-xmlrpc 2015-08-06 02:42:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1534 https://rhn.redhat.com/errata/RHSA-2015-1534.html


Note You need to log in before you can comment on or make changes to this bug.