Published:2009/10/26  Last Updated:2009/10/27

JVN#75368899
Implementations of IPv6 may be vulnerable to denial of service (DoS) attacks

Overview

Implementations of Internet Protocol version 6 (IPv6) may be vulnerable to denial of service (DoS) attacks.

Products Affected

  • Products that implement IPv6 may be affected by this vulnerability.
For more information, refer to the vendor's website.

Description

Implementations of IPv6 contain an issue in the processing of packets related to the Neighbor Discovery Protocol (RFC4861), which may lead to a denial of service vulnerablility.

Impact

Reception of a large number of packets from a malicious third party that is on the same link within the network may lead to a denial of service.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Workarounds
Until an update can be applied, the following workarounds may mitigate the affects of this vulnerability.

  • Use Secure Neighbor Discovery (SEND)
    • Check the validity of packets using Cryptographically Generated Address (CGA) that is described in RFC3972.
  • Filter traffic at the client node
    • When possible, use a personal firewall, etc. to drop Router Advertisement (RA) and ND Redirect packets.
  • Filter traffic using a L2 communication relaying device
    • If a L2 communication relaying device (switch or wireless LAN access point) is avaliable to filter packets based on IPv6 headers, either deny RA and ND Redirect packets not from the router or limit direct communication between client nodes. Note that Duplicate Address Detection (DAD) may not function properly when limiting direct client communication.

    Vendor Status

    Vendor Status Last Update Vendor Notes
    TOSHIBA TEC CORPORATION Not Vulnerable 2009/10/26
    FUJITSU LIMITED Not Vulnerable, investigating 2009/10/26
    FURUKAWA ELECTRIC CO., LTD. Vulnerable 2009/10/26
    NEC Corporation Vulnerable 2009/12/21
    Hitachi Not Vulnerable, investigating 2009/10/27
    Yamaha Corporation Vulnerable 2009/10/27
    Internet Initiative Japan Inc. Vulnerable 2009/10/27

    References

    1. RFC4942
      IPv6 Transition/Coexistence Security Considerations
    2. RFC3971
      SEcure Neighbor Discovery (SEND)
    3. RFC3972
      Cryptographically Generated Addresses (CGA)
    4. RFC4861
      Neighbor Discovery for IP version 6 (IPv6)
    5. RFC4862
      IPv6 Stateless Address Autoconfiguration
    6. RFC3756
      IPv6 Neighbor Discovery (ND) Trust Models and Threats
    7. RFC4890
      Recommendations for Filtering ICMPv6 Messages in Firewalls

    JPCERT/CC Addendum

    Vulnerability Analysis by JPCERT/CC

    Analyzed on 2009.10.26

    Measures Conditions Severity
    Access Required Non-routed - must be attacked from a local segment, such as Ethernet, Bluetooth, and 802.11 attacks
    • Medium-High
    Authentication None - anonymous or no authentication (IP addresses do not count)
    • High
    User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
    • High
    Exploit Complexity Low-Medium - some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
    • Medium-High

    Description of each analysis measures

    Credit

    Akira Kanai of INTERNET MULTIFEED CO., Shin Shirahata and Rodney Van Meter of Keio University and Tatuya Jinmei of Internet Systems Consortium, Inc. reported this vulnerability to IPA.
    JPCERT/CC coordinated with the developers under Information Security Early Warning Partnership.

    The reporters would also like to thank the following for the analysis of the vulnerability:
    Shinsuke Suzuki of KAME Project, Hideaki Yoshifuji and Shinta Sugimoto of USAGI Project.

    Other Information

    JPCERT Alert
    JPCERT Reports
    CERT Advisory
    CPNI Advisory
    TRnotes
    CVE
    JVN iPedia JVNDB-2009-000068

    Update History

    2009/10/27
    Information under the section "Vendor Status" has been updated.