Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0601

Summary           : Input Validation error in Teredo client
Date              : 24 March 2006
Affected versions : Miredo 0.8.0 down to 0.7.0
Miredo-specific   : Yes
Impact            : Remote authentication bypass
CVE ID            : N/A
ID                : MTFL-SA-0601


While authenticating an ICMPv6 Echo Reply (as part of the direct IPv6 connectivity test) with HMAC-MD5 hashing, the Teredo client can be tricked into validating the reply as coming from a possibly arbitrary IPv6 address, instead of the address used as input to the hash algorithm.


If successful, a malicious third party could use this vulnerability to impersonate an arbitrary other IPv6 host.

As far as is known, this bug cannot be exploited to run arbitrary code remotely.

Threat mitigation

Exploitation of this bug requires previous knowledge of the victim’s Teredo IPv6 address (which is made of the victim’s public IPv4 address, UDP port number, and cone NAT flag, plus the victim’s Teredo server’s primary IPv4 address).

For security-sensitive application, trust and access should never be granted on the sole basis of the peer’s IPv6 address. We strongly recommend using a shared secret and/or keypair-based signature and authentication algorithm (such as those included in TLS/SSL or IPsec), for sensitive application.


Teredo relays and Teredo servers are unaffected.

There is no known proper workaround for Teredo clients.


Upgrade to Miredo version 0.8.1.


This bug was discovered internally.




24 March 2006
Initial detailled security advisory
23 March 2006
Patch applied - Miredo 0.8.1 released
Bug discovered in Miredo development trunk