Summary : Input Validation error in Teredo tunnel Date : 31 December 2006 Affected versions : Miredo 1.0.5 down to 0.9.8 Miredo-specific : Yes Impact : Remote authentication bypass CVE ID : CVE-2006-6858 (candidate) ID : MTFL-SA-0604
Authentication of a Teredo bubble (as part of UDP hope punching) with HMAC-MD5-64 hashing is done improperly and can easily be spoofed by a malicious third party.
If successful, a malicious third party could use this vulnerability to impersonate an arbitrary Teredo client toward any Teredo relay or any other Teredo client running the vulnerable software.
As far as is known, this bug cannot be exploited to run arbitrary code remotely.
Exploitation of this bug requires previous knowledge of the victim’s Teredo IPv6 address (which is made of the victim’s public IPv4 address, UDP port number, and cone NAT flag, plus the victim’s Teredo server’s primary IPv4 address).
For security-sensitive application, trust and access should never be granted on the sole basis of the peer’s IPv6 address. We strongly recommend using a shared secret and/or keypair-based signature and authentication algorithm (such as those included in TLS/SSL or IPsec), for sensitive application.
There is no known proper workaround for Teredo clients and relays.
Upgrade to Miredo version 1.0.6.
This bug was discovered internally.