Miredo: Teredo IPv6 tunneling for Linux and BSD

Security Advisory 0604

Summary           : Input Validation error in Teredo tunnel
Date              : 31 December 2006
Affected versions : Miredo 1.0.5 down to 0.9.8
Miredo-specific   : Yes
Impact            : Remote authentication bypass
CVE ID            : CVE-2006-6858 (candidate)
ID                : MTFL-SA-0604

Details

Authentication of a Teredo bubble (as part of UDP hope punching) with HMAC-MD5-64 hashing is done improperly and can easily be spoofed by a malicious third party.

Impact

If successful, a malicious third party could use this vulnerability to impersonate an arbitrary Teredo client toward any Teredo relay or any other Teredo client running the vulnerable software.

As far as is known, this bug cannot be exploited to run arbitrary code remotely.

Threat mitigation

Exploitation of this bug requires previous knowledge of the victim’s Teredo IPv6 address (which is made of the victim’s public IPv4 address, UDP port number, and cone NAT flag, plus the victim’s Teredo server’s primary IPv4 address).

For security-sensitive application, trust and access should never be granted on the sole basis of the peer’s IPv6 address. We strongly recommend using a shared secret and/or keypair-based signature and authentication algorithm (such as those included in TLS/SSL or IPsec), for sensitive application.

Workarounds

There is no known proper workaround for Teredo clients and relays.

Solution

Upgrade to Miredo version 1.0.6.

Credits

This bug was discovered internally.

References

None.

History

31 December 2006
Miredo 1.0.6 released
Initial detailled security advisory
30 December 2006
Patch applied to development tree
Bug discovered in Miredo development trunk