Summary : Design error in IPv6 Routing Header type 0
Date : 31 May 2007
Affected versions : Miredo, all versions
Miredo-specific : No
Impact : Remote denial of service, security bypass
CVE ID : CVE-2007-2242 (candidate)
CVE-2006-6263 (candidate)
ID : MTFL-SA-0701
If successful, a malicious third party could use this vulnerability to cause a network traffic amplification, and possibly disrupt normal of the IPv6 network. Through Teredo encapsulaton (or any other IPv6-over-IPv4 mechanism), this attack can be made to affect the IPv4 Internet as well.
This attack cannot be exploited to run arbitrary code.
Exploitation of this bug requires previous knowledge of the IPv6 address of at least two nodes processing IPv6 Routing header. This is usually the case of any IPv6 router, but can also affect an IPv6 host depending on the implementation (KAME IPv6 stack is known to be affected in such a way).
Filter IPv6 Routing header type 0 with host firewall. On Linux, this can be achieved with the following command:
ip6tables --insert FORWARD --jump DROP --match rt --rt-type 0 ip6tables --insert INPUT --jump DROP --match rt --rt-type 0
It is important that only type 0 be filtered. For instance, type 2 is necessary for Mobile IPv6 and is not affected by this vulnerability.
Under the current scheme, Miredo will not be updated to address this vulnerability. It is expected that relevant operating system vendors will provide a fix for their respective IPv6 network protocol stack to address this issue properly, and independant of the IPv6 connection/tunnel used.
For instance, a fix for the Linux kernel is included in version 2.6.20.9.
Philippe Biondi and Arnaud Ebalard are credited with discovery and initial publication of this vulnerability.
Jim Hoagland had published the Teredo source routing vulnerability earlier.
Some of this page content is edited from the CVE MITRE database.