[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [rt.debian.org #4573] Re: Bug#717958: kfreebsd-9: CVE-2013-4851: nfsserver

On 29/07/13 13:30, Steven Chamberlain wrote:
> Probably we just need to add some text explaining CVE-2012-5365,
> CVE-2012-5363 and CVE-2011-2393, and that would be good enough to call
> them all 'fixed in wheezy'.  We'd need to send a final debdiff
> containing all this.  I'll try and draft something...

I've written the following text to explain 'workarounds' for those
issues.  I'm not sure exactly where to put this.  It probably needs to
end up in a README.Debian at least, plus mentioned in the changelog:

> Marc Heuse reported that some types of ICMPv6 packet cause excessive
> burden on the IPv6 networking stacks of several operating systems,
> including FreeBSD.  This can also break IPv6 networking on a host until
> it is rebooted.
> 
> These packets are only valid in link-local scope, meaning they cannot
> be routed through an IPv6 router from the Internet or another network.
> But if you do not trust your local network, you may want to defend
> against potential Denial-of-Service attacks as explained below.
> 
> 
> CVE-2011-2393 - flood of ICMPv6 Router Advertisement packets
> 
> CVE-2012-5365 - flood of ICMPv6 Router Advertisement packets containing
>                 multiple Routing entries
> 
> Debian GNU/kFreeBSD ''wheezy'' accepts these packets by default, to
> allow IPv6 stateless address autoconfiguration (SLAAC) to work.  This is
> different from original FreeBSD, where it is not enabled by default.
> 
> If you prefer to ignore these packets, you may clear the accept_rtadv
> flag on each vulnerable interface.  For example:
> 
> # ifconfig $IFACE inet6 -accept_rtadv
> 
> The same can also be added to an appropriate stanza of the
> /etc/network/interfaces file, to do this automatically on boot.  For
> example:
> 
> auto fxp0
> iface fxp0 inet dhcp
>  	up ifconfig $IFACE inet6 -accept_rtadv
> 
> 
> CVE-2012-5363 - flood of ICMPv6 Neighbor Solicitation messages
> 
> These packets announce an IPv6 host's presence on the local network.
> The source addresses of these packets are cached in a table
> of 'neighbour' hosts.  The table can be filled if a large number of
> source addresses are spoofed.  This incurs heavy CPU load and can break
> IPv6 networking on all interfaces.
> 
> There is no mitigation available yet in upstream FreeBSD.  If desired,
> IPv6 networking can be disabled on specific interfaces where it is not
> needed:
> 
> # ifconfig $IFACE inet6 ifdisabled
> 
> This can also be set in an /etc/network/interfaces stanza:
> 
> auto fxp0
> iface fxp0 inet dhcp
>  	up ifconfig $IFACE inet6 ifdisabled

-- 
Steven Chamberlain
steven@pyro.eu.org
Reply to: