Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0602

Summary           : Failure to handle error in Teredo client
Date              : 14 May 2006
Affected versions : Miredo 0.8.4 down to 0.7.0, and 0.9.1
Miredo-specific   : Yes
Impact            : Remote denial of service
CVE ID            : N/A
ID                : MTFL-SA-0602


While validating a Router Advertisement, as part of the Teredo qualification and maintenance procedure with the Teredo server, the Teredo client would detect invalid packets, but fail to ignore them properly.


If successful, a malicious third party could use this vulnerability to trigger misconfiguration of the Teredo tunnel, ultimately denying the Teredo tunnel service, and IPv6 connectivity.

As far as is known, this bug cannot be exploited to run arbitrary code remotely, nor to divert legitimate traffic to a malicious third party.

Threat mitigation

Exploitation of this bug requires previous knowledge of the victim’s mapped public IPv4 address, mapped public UDP port number. The malicious packet must also be sent within a fairly short time frame (usually 50 to 200ms every 30s).


Teredo relays and Teredo servers are unaffected.

There is no known proper workaround for Teredo clients.


Upgrade to Miredo version 0.8.5.


This bug was discovered internally.




14 May 2006
Initial detailled security advisory
13 May 2006
Miredo 0.8.5 released
12 May 2006
Patch applied
Bug discovered in Miredo development trunk