IPv6 Bug in Linux Kernel

IPv6 is seen as much more secure than its parent IPv4. Mainly because security features like IPsec are a mandatory part of the protocol – well backported and tested also in IPv4 environments.

The design goals and features like security aspects are one part of the conversion of each protocol. Another important one is how the defined functionality is implemented. This is very depending on the operating system and lastly on the developers who make it.

IPv6 is a complex protocol including lots of mechanisms to provide autoconfiguration for IP addresses and many other things. Thus it is clear that in the implementation of it there is also the possibility of failures.

During the research on IPv6 security S21sec has spotted a kernel bug which is exploitable in a way, that if an attacker sends a malformed IPv6 jumbo packet a remote machine will crash.

The reason is that if the kernel receives a malformed IPv6 jumbo packet – he will drop the packet and try to write some statistics. In the affected kernel versions it is not assured that the structure which provides the information is correctly initialized – resulting in a kernel crash.

Jumbo packets in IPv6 need the Hop-By-Hop option which means that the headers are processed by all nodes between the source and destination host. Since unaffected kernel versions will just skip the packet without crashing it works only if the vulnerable host is the next hop. This behavior is only tested using Linux nodes for routing.

Here is a proof of concept code which will crash remote machines running a Linux kernel >=2.6.20 and <=

Here is the Ubuntu advisory about the same Bug:

Clemens Kurtenbach
S21sec labs

Deja un comentario