A report from e-mail:
> -------- Forwarded Message --------
> From: Julien BERNARD <firstname.lastname@example.org>
> To: Dan Williams <email@example.com>, Tambet Ingo <firstname.lastname@example.org>
> Cc: email@example.com, Viagénie Engineering <firstname.lastname@example.org>
> Subject: Security issue with IPv6 on NetworkManager
> Date: Wed, 20 Apr 2016 12:56:36 -0400
> We didn't want to report this in the bug tracker regarding the security
> We believe that NetworkManager accepts and process Router
> with Hop Limit lesser than 255 allowing any node that is not on the
> local link to advertise as a router.
> This can be used to perform DoS attacks or to intercept/modify traffic
> of hosts outside of the local link.
> This was tested on lab and we managed to reproduce it at any time.
> Looking at the source code, checking the hop-limit value in the
> receive_ra function in src/rdisc/nm-lndp-rdisc.c file should resolve
> the issue.
> See RFC4861 §6.1.2 Validation of Router Advertisement Messages and §11
> for Security Considerations section.
> Best regards,
> Julien Bernard
I belive the bug is actually a bug in libndp, not NetworkManager. However, it affects NetworkManager >= 1.0; that is all supported versions of Fedora and RHEL-7 (RHEL-6 is not affected, since NM doesn't do IPv6 RA in userspace there).
We've added additional flaw that libndp doesn't validate that the source address of the RA messages is a link-local address, making it easier to exploit this.
The issue is not public and we probably need to coordinate the disclosure.
Created attachment 1149527 [details]
Created attachment 1149528 [details]
Could the security response team get a CVE for this so we can more easily coordinate the fixes with other distros?
(In reply to Dan Williams from comment #3)
> Could the security response team get a CVE for this so we can more easily
> coordinate the fixes with other distros?
Name: Julien Bernard (Viagénie)
Created libndp tracking bugs for this issue:
Affects: fedora-all [bug 1336719]
Unembargoing, based on public date
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:1086 https://rhn.redhat.com/errata/RHSA-2016-1086.html
Upstream commits :
- libndp: validate the IPv6 hop limit
- libndb: reject redirect and router advertisements from non-link-local
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):