Summary : Infinite loop in Teredo server Date : 30 July 2006 Affected versions : Miredo 0.9.6 and older Miredo-specific : Yes Impact : Remote denial of service CVE ID : N/A ID : MTFL-SA-0603
While validating a Teredo bubble to be forwarded over UDP/IPv4, the Teredo server could forward the packet to its own IP address and port number tuple, where it would again be validated and forwarded, and so on. Since there is no hop limit decrementation within this procecure, an infinite will be triggered.
If successful, a malicious third party could use this vulnerability to trigger excessive CPU consumption on the Teredo server, ultimately denying the Teredo tunnel service to legitimate Teredo clients.
As far as is known, this issue can neither be exploited to run arbitrary code, nor to compromise data confidentiality.
The number of deployed public Teredo server is currently very limited, hence the number of vulnerable systems is extremely small.
Teredo relays, which are more numerous, are not directly affected by the problem, as far as is currently known.
Blackholing UDP/IPv4 packets with both source and destination UDP ports set to 3544, on the loopback network interface can effectively thwart exploitation of this bug.
On Linux-based systems, this can normally be done with the following command (as root):
iptables -I INPUT -j DROP -i lo -p udp --sport 3544 --dport 3544
Upgrade to Miredo version 0.9.7.
This bug was discovered internally.