Summary : Input Validation error in Teredo client Date : 24 March 2006 Affected versions : Miredo 0.8.0 down to 0.7.0 Miredo-specific : Yes Impact : Remote authentication bypass CVE ID : N/A ID : MTFL-SA-0601
While authenticating an ICMPv6 Echo Reply (as part of the direct IPv6 connectivity test) with HMAC-MD5 hashing, the Teredo client can be tricked into validating the reply as coming from a possibly arbitrary IPv6 address, instead of the address used as input to the hash algorithm.
If successful, a malicious third party could use this vulnerability to impersonate an arbitrary other IPv6 host.
As far as is known, this bug cannot be exploited to run arbitrary code remotely.
Exploitation of this bug requires previous knowledge of the victim’s Teredo IPv6 address (which is made of the victim’s public IPv4 address, UDP port number, and cone NAT flag, plus the victim’s Teredo server’s primary IPv4 address).
For security-sensitive application, trust and access should never be granted on the sole basis of the peer’s IPv6 address. We strongly recommend using a shared secret and/or keypair-based signature and authentication algorithm (such as those included in TLS/SSL or IPsec), for sensitive application.
Teredo relays and Teredo servers are unaffected.
There is no known proper workaround for Teredo clients.
Upgrade to Miredo version 0.8.1.
This bug was discovered internally.