mailing list archives
Re: CVE request --- acceptation of overlapping ipv6 fragments
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 09 Nov 2012 01:15:15 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 11/08/2012 03:15 PM, Petr Matousek wrote:
Accepting overlapping fragmented ipv6 packets can lead to
Operating Systems (OS) fingerprinting, IDS/IPS insertion/evasion,
Do not accept such packets.
Linux kernel upstream fix:
So the rational here is that:
1) The RFC says overlapping IPv6 fragments should be dropped (in fact
all the fragments for that datagram should be dropped).
2) Generally speaking there is no real legitimate case for overlapping
IPv6 (or IPv4) fragments, and in fact they are quite dangerous:
- -Overlapping fragments were allowed in the original
IPv4 specification (RFC791)
- -RFC1858 described an overlapping fragment attack
that can be used to overwrite the TCP flags inside a
IPv6 datagrams can include a destination options
- -This header belongs to the fragmentable part of the
- -TCP header can be much further into the fragmentable
- -Makes it possible to even overwrite port info.
So basically IPv6 overlapping fragments are quite dangerous and can
potentially be used to bypass firewalls/IDS/NIDS/etc.
Also I'm guessing there are a lot of "embedded" (not sure what term to
use when network devices now have full computers in them, e.g.
photocopiers) IPv6 stacks that will not handle overlapping fragments
(crash, memory overwrite, who knows) and cannot be upgraded by users
(since the devices are not supported/not supported properly by the
So in a nutshell by not implementing RFC5722 we allow all manner of
poorly defined and probably unwanted behaviours to take place,
additionally we may end up passing nasty traffic to back end systems
that cannot handle it well (and are expecting the front end machines
to sanitize the traffic).
So to this end I am assigning CVE-2012-4444 (been saving it, it's easy
to remember =) for "failure to implement RFC5722 properly, allowing
overlapping fragmented IPv6 packets to be processed or passed to other
systems resulting in all sorts of potential unknown badness with
unknown consequences". It looks like more than just Linux is affected,
so if you know of other systems that are affected by this please reply
to this thread so we have a list.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----