Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0603

Summary           : Infinite loop in Teredo server
Date              : 30 July 2006
Affected versions : Miredo 0.9.6 and older
Miredo-specific   : Yes
Impact            : Remote denial of service
CVE ID            : N/A
ID                : MTFL-SA-0603


While validating a Teredo bubble to be forwarded over UDP/IPv4, the Teredo server could forward the packet to its own IP address and port number tuple, where it would again be validated and forwarded, and so on. Since there is no hop limit decrementation within this procecure, an infinite will be triggered.


If successful, a malicious third party could use this vulnerability to trigger excessive CPU consumption on the Teredo server, ultimately denying the Teredo tunnel service to legitimate Teredo clients.

As far as is known, this issue can neither be exploited to run arbitrary code, nor to compromise data confidentiality.

Threat mitigation

The number of deployed public Teredo server is currently very limited, hence the number of vulnerable systems is extremely small.

Teredo relays, which are more numerous, are not directly affected by the problem, as far as is currently known.


Blackholing UDP/IPv4 packets with both source and destination UDP ports set to 3544, on the loopback network interface can effectively thwart exploitation of this bug.

On Linux-based systems, this can normally be done with the following command (as root):

iptables -I INPUT -j DROP -i lo -p udp --sport 3544 --dport 3544


Upgrade to Miredo version 0.9.7.


This bug was discovered internally.




30 July 2006
Miredo 0.9.7 released
Initial detailled security advisory
Patch applied
Bug discovered in Miredo development trunk