New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

IPv6 and security: news from the front – May

May 15, 2012

IPv6 and security: news from the front – May

Published articles

Yoann Queret wrote a article In his blog, he provides a "brief overview of IPv6 support" in the new version of Ubuntu, version 12.04 LTS. A significant change has been made to the IPv6 stack, as RFC 4941 is now used by default. As a result, IPv6 addresses are no longer generated from the MAC address, but randomly.

Fernando Gont wrote a draft titled "« Security Implications of IPv6 on IPv4 networks »He briefly explains the risks posed by native IPv6 support and by v4/v6 encapsulation mechanisms. He mainly details how to filter 6to4, ISATAP, Teredo, and 6over4 tunnels. His explanations remain theoretical and are not linked to any specific technology.

 

Conferences

A conference The conference on IPv6, organized by IKT-Norge, took place in Oslo on April 24 and 25. Some presentations addressed the topic of security with IPv6.

Henrik Strøm, Head of IT Security and CERT manager at Telenor, presented "« IPv6 – Attacker's perspective »He summarizes in a few slides the risks associated with IPv6 and the countermeasures that can be taken. Here are his conclusions:

  • IPv6 can be secure, but work is needed to make it happen.
  • Security is neither included nor enabled by default.
  • There are many security issues that need to be addressed.
  • It becomes even more important to monitor logs and analyze network traffic.
  • Large network segments are always a bad idea
  • IPv6 can be used by an attacker even if legitimate users and applications do not use it.

Eric Vyncke, CTO/Consulting Engineering and Distinguished Engineer at Cisco, gave two presentations. The first is entitled "« IPv6 security; myths and realities »It presents the various attacks on IPv6, as well as the Cisco technologies used to counter them. It concludes with the following points:

  • There's nothing really new with IPv6
  • Lack of experience with IPv6 could temporarily reduce security levels; training is essential.
  • It is possible to maintain the level of security (IPv6 traffic can be controlled like IPv4 traffic)
  • The use of IPsec should be reserved for certain situations.

His second presentation is entitled "« Layer-2 insecurities of IPv6 »Attacks affecting a local network (layer 2) are presented, along with methods, primarily Cisco-based, to protect against them: rogue RA, SeND, CGA, RA-Guard, NDP spoofing, etc. Here are the elements of the conclusion:

  • Without security at level 2, there is no security at higher levels.
  • The main threat is the rogues RA
  • There are protection methods (host isolation, SeND and SAVI-based techniques)
  • To protect against Neighbor Cache fill-up, a good implementation or a specific configuration associated with ACLs must be used.
  • Solutions implementing these techniques already exist.

At the ATHCON 2012 conference, George Kargiotakis gave a presentation entitled "« Are you ready for IPv6 insecurities? »After a review of IPv6, he presents the possible attacks. Here is part of the presentation outline:

  • IPv6 Security Considerations
  • IPv6 Security Hype
  • IPv6 Common Local Attacks
  • Fragmentation Issues
  • Remote Network Scanning
  • Local Network Scanning
  • IDS / Firewall
  • OS Support
  • IPv6 Migration Security
  • Internet IPv6 Scanning

Interestingly, George Kargiotakis conducted a test showing that most ISPs have their routers' Telnet or SSH services accessible via IPv6, but not via IPv4. 40 of the routers tested had one of these services accessible via IPv6, compared to 10 via IPv4.

 

Vulnerabilities

A vulnerability (CVSS Base Score 2.6) affecting Mozilla products (Firefox, Thunderbird and SeaMonkey) and allowing bypassing certain access controls has been discovered: MFSA2012-28, CVE-2012-0475. This vulnerability is, however, difficult to exploit: it requires that a cross-site XHR or WebSocket request be opened on a non-standard web port on a web server using an IPv6 address of a particular form (two consecutive sixteen-bit fields must be zero).

Another vulnerability (CVSS Base Score 7.1) affecting Cisco IOS 15.1 and 15.2 products has been published: CVE-2012-1324. This vulnerability allows a device to crash by sending an IPv6 packet, if the device has a particular configuration.

A vulnerability (CVSS Base Score 6.8) affecting Windows Server 2008 R2 and Windows 7 has been published: MS12-032, CVE-2012-0179. This vulnerability allows for privilege escalation by exploiting a problem during IPv6 address assignment. Failure to exploit this vulnerability causes the equipment to crash.

Contact