Bug#690986: marked as forwarded (CVE-2012-5363 CVE-2012-5365)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 19 Oct 2012 23:00:17 +0100
with message-id <[🔎] 5081CD71.2050709@pyro.eu.org>
has caused the   report #690986,
regarding CVE-2012-5363 CVE-2012-5365
to be marked as having been forwarded to the upstream software
author(s) freebsd-net@freebsd.org

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
690986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690986
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: freebsd-net@freebsd.org
• Cc: Moritz Muehlenhoff <jmm@debian.org>, 690986@bugs.debian.org, 690986-forwarded@bugs.debian.org
• Subject: Debian Bug#690986: CVE-2012-5363 CVE-2012-5365
• From: Steven Chamberlain <steven@pyro.eu.org>
• Date: Fri, 19 Oct 2012 23:00:17 +0100
• Message-id: <[🔎] 5081CD71.2050709@pyro.eu.org>
• In-reply-to: <[🔎] 20121019193436.5031.87058.reportbug@pisco.westfalen.local>
• References: <[🔎] 20121019193436.5031.87058.reportbug@pisco.westfalen.local>

Hi,

On 19/10/12 20:34, Moritz Muehlenhoff wrote:
> Two security issues were found in the kfreebsd network stack:
> http://www.openwall.com/lists/oss-security/2012/10/10/8

> Issue #1 was assigned CVE-2012-5363
> Issue #2 was assigned CVE-2012-5365

Thank you for mentioning it.

Issue #2 seems similar to CVE-2011-2393, which I assumed was only
relevant where we'd set net.inet6.ip6.accept_rtadv=1, which isn't the
upstream FreeBSD default.  Issue #1 however might affect any FreeBSD
system acting as an IPv6 router.

If this can actually be confirmed, then the worst case I can imagine, is
if a FreeBSD box acts as an IPv6 router for multiple interfaces, perhaps
serving different users;  any one of them might flood with Neighbour
Solicitations on their local link and create a DoS affecting other
interfaces.


I found some code committed to OpenBSD (in 2008, uh-oh), supposedly from
KAME (but I can't find it in their repository?), implementing
per-interface and global limits on the number of prefixes/routes
accepted via RA.  I imagine that's the best way to avoid some or all of
these issues.

> http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6_proto.c?sortby=date#rev1.56

Just recently it seems this was also committed to NetBSD HEAD:  "4 new
sysctls to avoid ipv6 DoS attacks from OpenBSD".  I don't know of an
easier way to link to a whole CVS commit, but here are (hopefully all)
the changes to individual files:

> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_input.c.diff?r1=1.138&r2=1.139&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ip6_var.h.diff?r1=1.58&r2=1.59&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.c.diff?r1=1.142&r2=1.143&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6.h.diff?r1=1.56&r2=1.57&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/icmp6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6.c.diff?r1=1.160&r2=1.161&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_proto.c.diff?r1=1.96&r2=1.97&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/in6_var.h.diff?r1=1.64&r2=1.65&sortby=date&only_with_tag=MAIN
> http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/nd6_rtr.c.diff?r1=1.82&r2=1.83&sortby=date&only_with_tag=MAIN

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

--- End Message ---