Bug 1329366 (CVE-2016-3698) - CVE-2016-3698 libndp: denial of service due to insufficient validation of source of NDP messages
Summary: CVE-2016-3698 libndp: denial of service due to insufficient validation of sou...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3698
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Vladimir Benes
URL:
Whiteboard:
Depends On: 1333797 1333799 1336719
Blocks: 1329557
TreeView+ depends on / blocked
 
Reported: 2016-04-21 18:28 UTC by Lubomir Rintel
Modified: 2021-02-17 04:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that libndp did not properly validate and check the origin of Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network could use this flaw to advertise a node as a router, allowing them to perform man-in-the-middle attacks on a connecting client, or disrupt the network connectivity of that client.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:11 UTC


Attachments (Terms of Use)
Patch 1/2 (3.54 KB, text/plain)
2016-04-21 18:29 UTC, Lubomir Rintel
no flags Details
Patch 2/2 (2.07 KB, text/plain)
2016-04-21 18:29 UTC, Lubomir Rintel
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1086 0 normal SHIPPED_LIVE Moderate: libndp security update 2016-05-17 15:13:34 UTC

Description Lubomir Rintel 2016-04-21 18:28:43 UTC
A report from e-mail:

> -------- Forwarded Message --------
> From: Julien BERNARD <julien.bernard@viagenie.ca>
> To: Dan Williams <dcbw@redhat.com>, Tambet Ingo <tambet@gmail.com>
> Cc: secalert@redhat.com, Viagénie Engineering <eng@viagenie.ca>
> Subject: Security issue with IPv6 on NetworkManager
> Date: Wed, 20 Apr 2016 12:56:36 -0400
>
> Hi,
>
> We didn't want to report this in the bug tracker regarding the security
> implications.
>
> We believe that NetworkManager accepts and process Router
> Advertisements
> with Hop Limit lesser than 255 allowing any node that is not on the
> local link to advertise as a router.
> This can be used to perform DoS attacks or to intercept/modify traffic
> of hosts outside of the local link.
>
> This was tested on lab and we managed to reproduce it at any time.
> Looking at the source code, checking the hop-limit value in the
> receive_ra function  in src/rdisc/nm-lndp-rdisc.c file should resolve
> the issue.
>
> See RFC4861 §6.1.2 Validation of Router Advertisement Messages and §11
> for Security Considerations section.
>
>
> Best regards,
>
> Julien Bernard

I belive the bug is actually a bug in libndp, not NetworkManager. However, it affects NetworkManager >= 1.0; that is all supported versions of Fedora and RHEL-7 (RHEL-6 is not affected, since NM doesn't do IPv6 RA in userspace there).

We've added additional flaw that libndp doesn't validate that the source address of the RA messages is a link-local address, making it easier to exploit this.

The issue is not public and we probably need to coordinate the disclosure.

Comment 1 Lubomir Rintel 2016-04-21 18:29:22 UTC
Created attachment 1149527 [details]
Patch 1/2

Comment 2 Lubomir Rintel 2016-04-21 18:29:44 UTC
Created attachment 1149528 [details]
Patch 2/2

Comment 3 Dan Williams 2016-04-21 18:44:00 UTC
Could the security response team get a CVE for this so we can more easily coordinate the fixes with other distros?

Comment 4 Adam Mariš 2016-04-22 09:00:20 UTC
(In reply to Dan Williams from comment #3)
> Could the security response team get a CVE for this so we can more easily
> coordinate the fixes with other distros?

CVE-2016-3698

Comment 7 Cedric Buissart 2016-05-06 14:38:22 UTC
Acknowledgments:

Name: Julien Bernard (Viagénie)

Comment 11 Cedric Buissart 2016-05-17 10:07:56 UTC
Created libndp tracking bugs for this issue:

Affects: fedora-all [bug 1336719]

Comment 12 Cedric Buissart 2016-05-17 10:08:03 UTC
Unembargoing, based on public date

Comment 13 errata-xmlrpc 2016-05-17 11:13:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1086 https://rhn.redhat.com/errata/RHSA-2016-1086.html

Comment 14 Cedric Buissart 2016-05-17 13:11:52 UTC
Upstream commits :
 -  libndp: validate the IPv6 hop limit 
https://github.com/jpirko/libndp/commit/a4892df306e0532487f1634ba6d4c6d4bb381c7f

 -  libndb: reject redirect and router advertisements from non-link-local 
https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d4029115839

Comment 15 Product Security DevOps Team 2019-07-12 13:04:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-3698


Note You need to log in before you can comment on or make changes to this bug.