The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of BSD, Juniper: changes in an IPv6 router

Synthesis of the vulnerability 

An attacker on the LAN can send a Neighbor Solicitation packet in order to change information on the router related to a computer on another LAN.
Impacted software: BIG-IP Hardware, TMOS, FreeBSD, HP-UX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetBSD, OpenBSD.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 02/10/2008.
Revision date: 02/10/2008.
Références of this announce: BID-31529, c01662367, CERTA-2008-AVI-486, CERTA-2009-AVI-049, CVE-2008-2476, CVE-2008-4404, CVE-2009-0418, FreeBSD-SA-08:10.nd6, HPSBUX02407, NetBSD-SA2008-013, SOL9528, SSRT080107, VIGILANCE-VUL-8140, VU#472363.

Description of the vulnerability 

A router has two or several LAN connected to different physical interfaces.

The IPv6 Neighbor Discovery protocol uses 5 types of packets (RFC 4861):
 - Neighbor Solicitation : query the link layer (Ethernet) address of a neighbor form its IP address
 - Neighbor Advertisement : answer
 - etc.

When the router receives a Neighbor Solicitation packet, it keeps in cache information about the sender (under FreeBSD, by calling the nd6_cache_lladdr() function of netinet6/nd6.c at the end of the function nd6_ns_input()). However, an attacker can spoof the IP address of a computer on another LAN, in order to force the memorization of this address associated to the bad physical interface.

An attacker can therefore create a denial of service, an possibly obtain packets for the spoofed IP address.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as BIG-IP Hardware, TMOS, FreeBSD, HP-UX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetBSD, OpenBSD.

Our Vigil@nce team determined that the severity of this computer weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of LAN.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability.

Solutions for this threat 

F5 BIG-IP: corrected versions for IPv6.
The F5 announce indicates corrected versions.

FreeBSD: patch for IPv6 NDP.
A patch is available:
[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc
[FreeBSD 7.0]
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc

HP-UX: patch for IPv6.
A patch is available:
B.11.11 (11i v1) : PHNE_37898
B.11.23 (11i v2) : PHNE_37897
B.11.31 (11i v3) : PHNE_38680

NetBSD: patch for IPv6 NDP.
A patch is available:
  # cd src
  # cvs update sys/netinet6/nd6_nbr.c sys/netinet6/in6.c sys/netinet6/in6_var.h
  # ./build.sh kernel=KERNCONF
  # mv /netbsd /netbsd.old
  # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /netbsd
  # shutdown -r now

OpenBSD: patch for IPv6 NDP.
A patch is available:
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/015_ndp.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/006_ndp.patch
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/001_ndp.patch
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity announces. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.