A report from e-mail: > -------- Forwarded Message -------- > From: Julien BERNARD <julien.bernard> > To: Dan Williams <dcbw>, Tambet Ingo <tambet> > Cc: secalert, Viagénie Engineering <eng> > Subject: Security issue with IPv6 on NetworkManager > Date: Wed, 20 Apr 2016 12:56:36 -0400 > > Hi, > > We didn't want to report this in the bug tracker regarding the security > implications. > > We believe that NetworkManager accepts and process Router > Advertisements > with Hop Limit lesser than 255 allowing any node that is not on the > local link to advertise as a router. > This can be used to perform DoS attacks or to intercept/modify traffic > of hosts outside of the local link. > > This was tested on lab and we managed to reproduce it at any time. > Looking at the source code, checking the hop-limit value in the > receive_ra function in src/rdisc/nm-lndp-rdisc.c file should resolve > the issue. > > See RFC4861 §6.1.2 Validation of Router Advertisement Messages and §11 > for Security Considerations section. > > > Best regards, > > Julien Bernard I belive the bug is actually a bug in libndp, not NetworkManager. However, it affects NetworkManager >= 1.0; that is all supported versions of Fedora and RHEL-7 (RHEL-6 is not affected, since NM doesn't do IPv6 RA in userspace there). We've added additional flaw that libndp doesn't validate that the source address of the RA messages is a link-local address, making it easier to exploit this. The issue is not public and we probably need to coordinate the disclosure.
Created attachment 1149527 [details] Patch 1/2
Created attachment 1149528 [details] Patch 2/2
Could the security response team get a CVE for this so we can more easily coordinate the fixes with other distros?
(In reply to Dan Williams from comment #3) > Could the security response team get a CVE for this so we can more easily > coordinate the fixes with other distros? CVE-2016-3698
Acknowledgments: Name: Julien Bernard (Viagénie)
Created libndp tracking bugs for this issue: Affects: fedora-all [bug 1336719]
Unembargoing, based on public date
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1086 https://rhn.redhat.com/errata/RHSA-2016-1086.html
Upstream commits : - libndp: validate the IPv6 hop limit https://github.com/jpirko/libndp/commit/a4892df306e0532487f1634ba6d4c6d4bb381c7f - libndb: reject redirect and router advertisements from non-link-local https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d4029115839
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-3698