IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability

Bugtraq ID:	23615
Class:	Design Error
CVE:	CVE-2007-2242
Remote:	Yes
Local:	No
Published:	Apr 23 2007 12:00AM
Updated:	Feb 08 2008 02:46PM
Credit:	Philippe BIONDI, Arnaud EBALARD, and Marc Balmer of OpenBSD, and Vishwas Manral reported this issue.
Vulnerable:	Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 SuSE SUSE Linux Enterprise Server 10.SP1 SuSE SUSE Linux Enterprise SDK 10 SP1 SuSE Suse Linux Enterprise Desktop 10.SP1 SuSE Suse Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise 10 SP1 DEBUGINFO SuSE Linux Enterprise Server 10.SP1 SuSE Linux 10.1 x86-64 SuSE Linux 10.1 x86 SuSE Linux 10.1 ppc Sun Solaris 8_x86 Sun Solaris 8_sparc SEIL Turbo 1.18 SEIL Turbo 1.80 SEIL Turbo 1.00 SEIL Plus 1.80 SEIL Plus 1.00 SEIL neu Ver. 2.x 2.32 SEIL neu Ver. 2.x 2.00 SEIL neu Ver. 1.x 1.97 SEIL neu Ver. 1.x 1.52 SEIL neu ATM 1.35 SEIL neu ATM 1.42 SEIL neu ATM 1.10 S.u.S.E. openSUSE 10.3 S.u.S.E. openSUSE 10.2 rPath rPath Linux 1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux 5 Server OpenBSD OpenBSD 4.0 OpenBSD OpenBSD 3.9 NetBSD NetBSD 3.0.2 NetBSD NetBSD 3.0.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 NetBSD NetBSD 4.0 BETA2 NetBSD NetBSD 3.1_RC3 NetBSD NetBSD 3.1 NetBSD NetBSD 3.1 NetBSD NetBSD 2.0.4 Navision Financials Server 3.0 Mandriva Linux Mandrake 2007.1 x86_64 Mandriva Linux Mandrake 2007.1 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 IETF RFC 2460 - Internet Protocol, Version 6 (IPv6) 0 FreeBSD FreeBSD 6.0 .x FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 5.5 -STABLE FreeBSD FreeBSD 5.5 -RELEASE FreeBSD FreeBSD 5.4 -RELENG FreeBSD FreeBSD 5.4 -RELEASE FreeBSD FreeBSD 5.4 -PRERELEASE FreeBSD FreeBSD 5.3 -STABLE FreeBSD FreeBSD 5.3 -RELENG FreeBSD FreeBSD 5.3 -RELEASE FreeBSD FreeBSD 5.3 FreeBSD FreeBSD 5.2.1 -RELEASE FreeBSD FreeBSD 5.2 -RELENG FreeBSD FreeBSD 5.2 -RELEASE FreeBSD FreeBSD 5.2 FreeBSD FreeBSD 5.1 -RELENG FreeBSD FreeBSD 5.1 -RELEASE/Alpha FreeBSD FreeBSD 5.1 -RELEASE-p5 FreeBSD FreeBSD 5.1 -RELEASE FreeBSD FreeBSD 5.1 FreeBSD FreeBSD 5.0 .x FreeBSD FreeBSD 5.0 -RELENG FreeBSD FreeBSD 5.0 -RELEASE-p14 FreeBSD FreeBSD 5.0 alpha FreeBSD FreeBSD 5.0 FreeBSD FreeBSD 6.2 -STABLE FreeBSD FreeBSD 6.2 FreeBSD FreeBSD 6.1 -STABLE FreeBSD FreeBSD 6.1 -RELEASE-p10 FreeBSD FreeBSD 6.1 -RELEASE FreeBSD FreeBSD 6.0 -RELEASE-p5 FreeBSD FreeBSD 5.4-STABLE Foresight Linux Foresight Linux 1.1 Cosmicperl Directory Pro 10.0.3 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X Server 10.2.8 Apple Mac OS X Server 10.2.7 Apple Mac OS X Server 10.2.6 Apple Mac OS X Server 10.2.5 Apple Mac OS X Server 10.2.4 Apple Mac OS X Server 10.2.3 Apple Mac OS X Server 10.2.2 Apple Mac OS X Server 10.2.1 Apple Mac OS X Server 10.2 Apple Mac OS X Server 10.1.5 Apple Mac OS X Server 10.1.4 Apple Mac OS X Server 10.1.3 Apple Mac OS X Server 10.1.2 Apple Mac OS X Server 10.1.1 Apple Mac OS X Server 10.1 Apple Mac OS X Server 10.0 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 Apple Mac OS X 10.2.8 Apple Mac OS X 10.2.7 Apple Mac OS X 10.2.6 Apple Mac OS X 10.2.5 Apple Mac OS X 10.2.4 Apple Mac OS X 10.2.3 Apple Mac OS X 10.2.2 Apple Mac OS X 10.2.1 Apple Mac OS X 10.2 Apple Mac OS X 10.1.5 Apple Mac OS X 10.1.4 Apple Mac OS X 10.1.3 Apple Mac OS X 10.1.2 Apple Mac OS X 10.1.1 Apple Mac OS X 10.1 Apple Mac OS X 10.1 Apple Mac OS X 10.0.4 Apple Mac OS X 10.0.3 Apple Mac OS X 10.0.2 Apple Mac OS X 10.0.1 Apple Mac OS X 10.0 3 Apple Mac OS X 10.0 Apple AirPort Extreme Firmware 7.1 Apple AirPort Extreme Firmware 7.0
Not Vulnerable:	Linux kernel 2.6.20 .9 Apple Mac OS X Server 10.4.10 Apple Mac OS X 10.4.10 Apple AirPort Extreme Firmware 7.2.1

IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability

IPv6 protocol implementations are prone to a denial-of-service vulnerability due to a design error.

Exploiting this issue allows attackers to cause denial-of-service conditions.

This issue is related to the issue discussed in BID 22210 (Cisco IOS IPv6 Source Routing Remote Memory Corruption Vulnerability).

IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability

Solution:
Please see the referenced advisories for more information.


OpenBSD OpenBSD 3.9

• OpenBSD OpenBSD 3.9-stable
  ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch

FreeBSD FreeBSD 6.2 -STABLE

• FreeBSD ipv6.patch
  http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch


• FreeBSD ipv6.patch.asc
  http://security.FreeBSD.org/patches/SA-07:03/ipv6.patch.asc

Apple Mac OS X Server 10.4

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.1

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X 10.4.2

• Apple MacOSXUpdCombo10.4.10Intel.dmg
  For Mac OS X v10.4.4 (Intel) through v10.4.8 (Intel)
  http://www.apple.com/support/downloads/


• Apple MacOSXUpdCombo10.4.10PPC.dmg
  For Mac OS X v10.4 (PowerPC) through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.3

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X 10.4.3

• Apple MacOSXUpdCombo10.4.10Intel.dmg
  For Mac OS X v10.4.4 (Intel) through v10.4.8 (Intel)
  http://www.apple.com/support/downloads/


• Apple MacOSXUpdCombo10.4.10PPC.dmg
  For Mac OS X v10.4 (PowerPC) through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.4

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X 10.4.4

• Apple MacOSXUpdCombo10.4.10Intel.dmg
  For Mac OS X v10.4.4 (Intel) through v10.4.8 (Intel)
  http://www.apple.com/support/downloads/


• Apple MacOSXUpdCombo10.4.10PPC.dmg
  For Mac OS X v10.4 (PowerPC) through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.5

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.7

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/


• Apple MacOSXSrvrCombo10.4.10Univ.dmg
  For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
  http://www.apple.com/support/downloads/

Apple Mac OS X 10.4.7

• Apple MacOSXUpdCombo10.4.10Intel.dmg
  For Mac OS X v10.4.4 (Intel) through v10.4.8 (Intel)
  http://www.apple.com/support/downloads/


• Apple MacOSXUpdCombo10.4.10PPC.dmg
  For Mac OS X v10.4 (PowerPC) through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.8

• Apple MacOSXSrvrCombo10.4.10PPC.dmg
  For Mac OS X Server v10.4 through v10.4.8 (PowerPC)
  http://www.apple.com/support/downloads/


• Apple MacOSXSrvrCombo10.4.10Univ.dmg
  For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
  http://www.apple.com/support/downloads/

Apple Mac OS X Server 10.4.9

• Apple MacOSXServerUpd10.4.10PPC.dmg
  For Mac OS X Server v10.4.9 (PowerPC)
  http://www.apple.com/support/downloads/


• Apple MacOSXSrvrCombo10.4.10Univ.dmg
  For Mac OS X Server v10.4.7 through v10.4.9 (Universal)
  http://www.apple.com/support/downloads/

IPv6 Protocol Type 0 Route Header Denial of Service Vulnerability

References:

• 16 May 2007 IPv6 Routing Header Issues (Sun)
  
• Cisco Security Advisory: IPv6 Routing Header Vulnerability (Cisco)
  
• draft-ietf-ipv6-deprecate-rh0-01-candidate-00 (Joe Abley)
  
• FreeBSD Homepage (FreeBSD)
  
• IPv6 Routing Header Security. (Philippe BIONDI and Arnaud EBALARD)
  
• Linux 2.6.20.9 Changelog (Linux)
  
• NetBSD Homepage (NetBSD)
  
• OpenBSD Homepage (OpenBSD)
  
• AirPort Extreme Base Station with 802.11n* Firmware 7.2.1 (Apple)
  
• IPv6 Homepage (IPv6.org)
  
• IPv6 protocol routing header vulnerability (SEIL)
  
• RHSA-2007:0347-2 Important: kernel security and bug fix update (Red Hat)
  
• Security Update for Linux Kernel: Zypp-Patch-Number: 4185 (Novell)
  
• Vulnerability Note VU#267289 IPv6 Type 0 Route Headers allow sender to control r (US-CERT)