Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0701

Summary           : Design error in IPv6 Routing Header type 0
Date              : 31 May 2007
Affected versions : Miredo, all versions
Miredo-specific   : No
Impact            : Remote denial of service, security bypass
CVE ID            : CVE-2007-2242 (candidate)
                    CVE-2006-6263 (candidate)
ID                : MTFL-SA-0701

Details

CVE-2007-2242
The IPv6 protocol allows remote attackers to cause a denial of service by abusing the IPv6 Routing header type 0 so as to create network traffic amplification between two IPv6 nodes.
CVE-2006-6263
Teredo nodes process IPv6 Routing headers in encapsulated IPv6 packets, which might allow remote attackers to bypass policies of certain Internet gateways that drop all source-routed packets.

Impact

If successful, a malicious third party could use this vulnerability to cause a network traffic amplification, and possibly disrupt normal of the IPv6 network. Through Teredo encapsulaton (or any other IPv6-over-IPv4 mechanism), this attack can be made to affect the IPv4 Internet as well.

This attack cannot be exploited to run arbitrary code.

Threat mitigation

Exploitation of this bug requires previous knowledge of the IPv6 address of at least two nodes processing IPv6 Routing header. This is usually the case of any IPv6 router, but can also affect an IPv6 host depending on the implementation (KAME IPv6 stack is known to be affected in such a way).

Workarounds

Filter IPv6 Routing header type 0 with host firewall. On Linux, this can be achieved with the following command:

ip6tables --insert FORWARD --jump DROP --match rt --rt-type 0
ip6tables --insert INPUT --jump DROP --match rt --rt-type 0

It is important that only type 0 be filtered. For instance, type 2 is necessary for Mobile IPv6 and is not affected by this vulnerability.

Solution

Under the current scheme, Miredo will not be updated to address this vulnerability. It is expected that relevant operating system vendors will provide a fix for their respective IPv6 network protocol stack to address this issue properly, and independant of the IPv6 connection/tunnel used.

For instance, a fix for the Linux kernel is included in version 2.6.20.9.

Credits

Philippe Biondi and Arnaud Ebalard are credited with discovery and initial publication of this vulnerability.

Jim Hoagland had published the Teredo source routing vulnerability earlier.

Some of this page content is edited from the CVE MITRE database.

References

Linux 2.6.20.9 ChangeLog
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.9
IPv6 Routing Header Security
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
Report on Teredo security
http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

History

31 May 2007
Initial detailled security advisory
18 April 2007
Public presentation by Philippe Biondi and Arnaud Ebalard
29 November 2006
Report published by Jim Hoagland
28 November 2006
Private notification from Jim Hoagland