Contributed by jose on from the MTU-problems dept.
Date: Sun, 8 Feb 2004 00:54:54 +0100 From: Daniel HartmeierTo: security-announce@openbsd.org Subject: IPv6 MTU handling problem An IPv6 MTU handling problem has been reported by Georgi Guninski[1], which could be used by an attacker to cause a denial of service attack against hosts reachable through IPv6. When the MTU (maximum transfer unit) for an IPv6 route is set very low, the TCP stack will enter an endless recursion when the next TCP packet is sent. This can be exploited remotely by sending ICMP6 'packet too big' messages containing such low MTU values. The kernel will effectively lock up, causing denial of service. It is not believed that this problem can be used to execute arbitrary code. IPv6 is enabled by default, but the problem can only be exploited remotely against hosts which are reachable through IPv6. Hosts with IPv4 connectivity only are not affected. The problem is fixed in -current, patches for 3.4-stable and 3.3-stable are available at ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/011_ip6.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/016_ip6.patch [1] http://www.guninski.com/obsdmtu.html
(Comments are closed)
By theCatInTheHat () cat@mole.com on none
said the the fat cat looking through the net.
The IP stack is all in tack and really that is the fact, he continued. You see for one to hack he would have to say IP6 and we all know he would be the one in a fix ;)
Comments
By Anonymous Coward () on
By Anonymous Coward () on
that's 'intact'... but you knew that, didn't you.
Comments
By Anonymous Coward () on
that's poetry... but you knew that, didn't you.
By Anonymous Coward () on
Comments
By ssc () on
yeah, that would be kinda neat
secure by poetry :)
By David Coppa () caff@openbeer.it on http://www.openbeer.it/
openbsd# sysctl -w net.inet.ip.mtudisc=1
net.inet.ip.mtudisc: 0 -> 1
openbsd# ifconfig rl0 mtu 64
anothermachine$ ssh openbsd
openbsd reboot.
So, it's not only ipv6 related...
Comments
By Daniel Hartmeier () daniel@benzedrine.cx on mailto:daniel@benzedrine.cx
What you describe is a DoS only exploitable by the local root. It'll be eventually fixed, too. But if you got local root, there are a couple of other ways to take the host down intentionally (like, uh, halt(8)) ;)
By Arrigo () on http://www.alchemistowl.org/arrigo
Has anyone got a patch for older versions of OpenBSD ?
Comments
By Daniel Hartmeier () daniel@benzedrine.cx on mailto:daniel@benzedrine.cx
Comments
By Arrigo () on http://www.alchemistowl.org/arrigo
As I have no means to perform better testing I am wondering if the bug is still there, just not triggered so far.
Comments
By Daniel Hartmeier () daniel@benzedrine.cx on mailto:daniel@benzedrine.cx
Then apply it to the 3.0 box, using the same procedure repeatedly, until you're sure it doesn't affect it. You can't really be sure, but if all you have at your disposal is empiric tests, that's as good as it gets.
At some point, backporting patches to no longer supported releases (and 3.0 unsupported for quite a while, I'm sure you're aware of that) just isn't worth the effort anymore, and upgrading becomes cheaper.
And since this is only relevant for IPv6 enabled hosts, and you mentioned one particular host only, I can't imagine a sane reason not to upgrade it. There must have been dozens of small IPv6 fixes and improvents during those years which never caused an errata, which you're missing.
Comments
By Arrigo () on http://www.alchemistowl.org/arrigo
For the trolls: I appreciate that mine is a limit case but there are boxes which can't be upgraded, either because there are too many of them (e.g. large farm) or because you can't reboot the box and still have access to it if it doesn't work...
Still, I've definitely tried a 3.4 brand new install from CD at home (which keels over) but haven't been able to reproduce with a 3.0. I feel uneasy about calling it "safe" so I'll leave the box running with IPv6-only traffic overnight to see if I have indeed touched something sensitive which breaks in the long run.
By chas () on
Is this the best source of binary patches for OpenBSD?
Comments
By Peter Hessler () spambox@theapt.org on http://www.theapt.org
By inglf00 () on