IPv6 and security: news from the front – June
Published articles
Fernando Gont published two drafts :
- DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers ;
- Neighbor Discovery Shield (ND-Shield): Protecting against Neighbor Discovery Attacks.
It proposes methods for blocking malicious DHCPv6 and NDP messages at the switch level. The goal is to block illegitimate messages that could disrupt network operation.
Fernando Gont also published an article entitled "« Analysis: Vast IPv6 address space actually enables IPv6 attacks »It lists methods that can be used to scan an IPv6 network without having to test all addresses as in IPv4. The methods vary depending on whether the addressing is based on:
- MAC addresses; ;
- the least significant bits; ;
- IPv4 addresses; ;
- words from the dictionary; ;
- the temporary address mechanism; ;
- transition mechanisms.
Conferences
Several presentations dealing with IPv6 took place at the conference TNC 2012, in Reykjavik, Iceland.
Eric Vyncke, CTO/Consulting Engineering and Distinguished Engineer at Cisco, gave a presentation:« The Layer-2 Insecurities of IPv6 and the Mitigation Techniques »His presentation was almost identical to the one he gave last month at the conference organized by IKT-Norge (see my previous month's post).
Tomas Podermanski, Matej Grégr and Miroslav Švéda, from Brno University of Technology, also gave a presentation. It is entitled "« Deploying IPv6 – practical problems from the campus perspective »They deployed IPv6 at their university and present a very interesting feedback, particularly in the paper. This feedback focuses on the security aspect of the deployment.
Andrea De Vita, Abraham Gebrehiwot, Alessandro Mancini and Marco Sommani, from the research organization CNR – Istituto di Informatica e Telematica, presented « 6Mon: Rogue IPv6 Router Advertisement detection and mitigation and IPv6 address utilization network monitoring tool »They present the tool they developed: 6Mon. It's a network monitoring tool capable of inspecting Router Advertisement, Neighbor Solicitation, ARP, and DHCP messages. The goal is to allow network administrators to find associations between MAC, IPv4, and IPv6 addresses, to be alerted when a malicious router starts sending Router Advertisement messages, and to neutralize the effects of these malicious routers.
Tools
Nmap version 6 has been released. It improves the IPv6 support.
Vulnerabilities
Several vulnerabilities in the Linux kernel have been identified:
- CVE-2011-4326 This vulnerability (CVSS Base = 7.1) affects versions prior to 2.6.39 and can cause a device to crash by sending fragmented IPv6 packets. The device must, among other things, be configured in bridge mode.
- CVE-2011-2699 This vulnerability (CVSS Base = 7.8) affects versions prior to 3.1. The kernel uses the same generator to generate the "fragment identification" value regardless of the IPv6 destination. Consequently, the "fragment identification" value is predictable, and it is possible to implement DoS attacks.
- CVE-2012-1583 This vulnerability (CVSS Base = 5.0) affects versions prior to 2.6.22 with the "xfrm6_tunnel" module enabled. Under these conditions, sending specially crafted packets can cause a denial of service.
When IPv6 support was added to sudo, a vulnerability was introduced (CVSS Base = 7.2). It has just been discovered and affects versions 1.6.9p3 to 1.8.4p4: CVE-2012-2337, alert netmark. If the sudoers file has a particular configuration, a user present in that file might be able to elevate their privileges.
