User: Password:
Subscribe / Log in / New account


IPv6 source routing: history repeats itself

May 2, 2007

This article was contributed by Jake Edge.

A feature slipped into the IPv6 protocol because of political, rather than technical, considerations and has, perhaps unsurprisingly, come back to haunt the IPv6 working group. It also caused a recent Linux kernel release that disables a particular routing 'feature' of IPv6 by default; it also allows administrators to enable it if they wish. Even a cursory look at the IPv6 routing header type 0 (RH0) might lead one to remember a similar IPv4 feature that eventually fell out of favor: source routing.

Mostly used as a diagnostic tool, source routing allows a packet to specify the route, as a list of IP addresses, that should be used to reply to it. This capability was abused in IP address spoofing attacks by enabling the spoofer to see responses that normally would be routed directly to the spoofed address. Because of this (and other source routing abuses), most routers are configured to drop packets that have source routing information and have been since the mid-90s. Ten years or more would seem to be enough time to ensure that the 'next generation' of IP (IPv6 was originally billed as 'IPng') missed out on repeating these mistakes of the past; sadly, that is not the case.

IPv6 introduces something called a 'routing header' into the protocol as part of the extension headers, which are meant to replace the IPv4 options field. Three types of routing header are defined, one of which is unused (type 1) and another which is only used by Mobile IPv6 implementations (type 2). It is the third (type 0) that is the cause of all the current uproar. Also known as RH0 headers, they contain a list of hosts to be 'visited' on the way back to the source address. It should be noted that the IPv6 RFC mentions IPv4 source routing as part of the description of RH0.

A presentation (PDF) at the CanSecWest 2007 conference outlined several vulnerabilities with RH0 and that led to the kernel changes in The biggest vulnerability appears to be in the amplification effect that can be caused by listing hosts multiple times in the 'route'. One packet can then cause what are essentially multiple copies of itself to be sent back and forth between the hosts listed in the header. This can be used to multiply the traffic in a denial of service attack as well as masking the source of the attack. The BSD operating systems have also released new versions to address this problem and the router vendors will not be far behind. (It should be noted that a bug in the original Linux fix was addressed in and because 2.6.21 had been released in the interim, in as well.)

Given that the problems with source routing are known and that the parallels between RH0 and source routing are also known, how did we get to the point where this kind of feature was added into IPv6? The Internet Engineering Task Force (IETF) IPv6 working group is discussing some of that in a thread on their mailing list. A memorable rant by Theo de Raadt seems to indicate that 'academics' in the process forced the inclusion of RH0 through politics. Paul Vixie commiserates and indicates that he sees it as more evidence that the IETF is largely irrelevant in setting internet standards today. In addition, no one responding to the thread seems to be able to come up with a particularly valid use case for the feature.

This would appear to be a classic case of ignoring the past and being doomed to repeat it, but it would also appear that the politics of standards bodies played a role. We certainly are not well served when political considerations trump security (or, really, any technical) considerations. Hopefully this will be yet another object lesson for those of a political bent.

Comments (19 posted)

New vulnerabilities

capi4k-utils: buffer overflow

Package(s):capi4k-utils CVE #(s):CVE-2007-1217
Created:April 30, 2007 Updated:May 2, 2007
Description: The bufprint() function in capi4k-utils fails to properly check boundaries of data coming from CAPI packets. A local attacker could possibly escalate privileges or cause a Denial of Service by sending a crafted CAPI packet.
Gentoo 200704-23 capi4k-utils 2007-04-27

Comments (none posted)

gimp: arbitrary code execution

Package(s):gimp CVE #(s):CVE-2007-2356
Created:May 1, 2007 Updated:June 11, 2007
Description: From this Secunia advisory: "Marsu has discovered a vulnerability in Gimp, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the "set_color_table()" function in plug-ins/common/sunras.c. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted .RAS file."
Debian DSA-1301-1 gimp 2007-06-09
Ubuntu USN-467-1 gimp 2007-05-31
Mandriva MDKSA-2007:108 gimp 2007-05-22
Red Hat RHSA-2007:0343-01 gimp 2007-05-21
SuSE SUSE-SR:2007:011 apache gimp zope 2007-05-16
Gentoo 200705-08 gimp 2007-05-07
rPath rPSA-2007-0090-1 gimp 2007-05-03
Foresight FLEA-2007-0015-1 gimp 2007-04-30

Comments (3 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2007-1861 CVE-2007-2242
Created:May 1, 2007 Updated:February 8, 2008
Description: The netlink protocol has an infinite recursion bug that allows users to cause a kernel crash. Also the IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.
SuSE SUSE-SA:2008:006 kernel 2008-02-07
Ubuntu USN-508-1 linux-source-2.6.15 2007-08-31
Mandriva MDKSA-2007:171 kernel 2007-08-28
Ubuntu USN-489-1 linux-source-2.6.15 2007-07-19
Ubuntu USN-486-1 linux-source-2.6.17 2007-07-17
SuSE SUSE-SA:2007:051 kernel 2007-09-06
Mandriva MDKSA-2007:216 kernel 2007-11-13
Red Hat RHSA-2007:0347-01 kernel 2007-05-16
Debian DSA-1289-1 linux-2.6 2007-05-13
Foresight FLEA-2007-0016-1 kernel 2007-05-08
rPath rPSA-2007-0084-1 kernel 2007-05-01
Fedora FEDORA-2007-483 kernel 2007-05-01
Fedora FEDORA-2007-482 kernel 2007-05-01

Comments (none posted)

net-snmp: denial of service

Package(s):net-snmp CVE #(s):CVE-2005-4837
Created:May 2, 2007 Updated:May 4, 2007
Description: From the Ubuntu advisory: the SNMP service did not correctly handle TCP disconnects. Remote subagents could cause a denial of service if they dropped a connection at a specific time. Note that this vulnerability has been known since 2005.
rPath rPSA-2007-0089-1 net-snmp 2007-05-03
Ubuntu USN-456-1 net-snmp 2007-05-02

Comments (none posted)

qemu: multiple vulnerabilities

Package(s):qemu CVE #(s):CVE-2007-1320 CVE-2007-1321 CVE-2007-1322 CVE-2007-1323 CVE-2007-1366
Created:May 1, 2007 Updated:January 19, 2009
Description: Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service.
Fedora FEDORA-2008-11705 kvm 2008-12-24
Fedora FEDORA-2008-10000 kvm 2008-11-22
Fedora FEDORA-2008-9556 kvm 2008-11-12
SuSE SUSE-SR:2009:002 imlib2, valgrind, kvm, cups, lynx, xterm 2009-01-19
Mandriva MDVSA-2008:162 qemu 2008-08-07
Fedora FEDORA-2008-4386 kvm 2008-05-28
Fedora FEDORA-2008-4604 kvm 2008-05-28
Fedora FEDORA-2007-713 xen 2007-10-08
Debian DSA-1384-1 xen-utils 2007-10-05
Fedora FEDORA-2007-2270 xen 2007-10-03
Red Hat RHSA-2007:0323-01 Xen 2007-10-02
Debian-Testing DTSA-38-1 qemu 2007-05-26
Debian DSA-1284-1 qemu 2007-05-01

Comments (none posted)

quagga: denial of service

Package(s):quagga CVE #(s):CVE-2007-1995
Created:May 2, 2007 Updated:July 3, 2007
Description: A malicious peer can cause the quagga routing daemon to crash by sending a properly crafted BGP packet.
Fedora FEDORA-2007-0838 quagga 2007-07-03
Fedora FEDORA-2007-525 quagga 2007-06-06
Red Hat RHSA-2007:0389-01 quagga 2007-05-30
Ubuntu USN-461-1 quagga 2007-05-17
OpenPKG OpenPKG-SA-2007.015 quagga 2007-05-18
Debian DSA-1293-1 quagga 2007-05-17
Mandriva MDKSA-2007:096 quagga 2007-05-02
Gentoo 200705-05 quagga 2007-05-02

Comments (none posted)

tomcat: directory traversal

Package(s):tomcat CVE #(s):CVE-2007-0450
Created:May 2, 2007 Updated:February 27, 2008
Description: Versions of tomcat prior to 5.5.22 do not properly filter filename separator characters, enabling information disclosure attacks.
SuSE SUSE-SR:2007:015 PHP, moodle, tomcat5, lighttpd, asterisk, libarchive, xpdf, evolution, kvirc, wireshark, gd, opera, clamav, gimp 2007-08-03
Mandriva MDKSA-2007:241 tomcat5 2007-12-10
Red Hat RHSA-2007:0360-01 jbossas 2007-05-24
Red Hat RHSA-2007:0328-01 tomcat 2007-05-24
Fedora FEDORA-2007-514 tomcat5 2007-05-21
Red Hat RHSA-2007:0326-01 tomcat 2007-05-21
Red Hat RHSA-2007:0327-01 tomcat 2007-05-14
Gentoo 200705-03 tomcat 2007-05-01

Comments (none posted)

util-linux: access restriction bypass

Package(s):util-linux CVE #(s):CVE-2006-7108
Created:May 2, 2007 Updated:June 15, 2007
Description: From the Red Hat advisory: a flaw was found in the way the login process handled logins which did not require authentication. Certain processes which conduct their own authentication could allow a remote user to bypass intended access policies which would normally be enforced by the login process.
rPath rPSA-2007-0126-1 util-linux 2007-06-15
Mandriva MDKSA-2007:111 util-linux 2007-06-04
Red Hat RHSA-2007:0235-02 util-linux 2007-05-01

Comments (none posted)

vim: arbitrary shell code execution

Package(s):vim CVE #(s):CVE-2007-2438
Created:April 30, 2007 Updated:May 25, 2007
Description: Vim allows two functions, feedkeys() and writefile(), to be used in the sandbox. Functions executed via modelines in files being edited are verified by the sandbox; a user who is coerced into opening a specially-crafted file could cause the system to execute arbitrary shell code supplied by the attacker.
SuSE SUSE-SR:2007:012 net-snmp, vim, kdebase3, mod_perl 2007-05-25
Ubuntu USN-463-1 vim 2007-05-22
Mandriva MDKSA-2007:101 vim 2007-05-09
Red Hat RHSA-2007:0346-01 vim 2007-05-09
Fedora FEDORA-2007-492 vim 2007-05-07
Foresight FLEA-2007-0014-1 gvim 2007-04-30

Comments (1 posted)

wordpress: another pile of vulnerabilities

Package(s):wordpress CVE #(s):CVE-2007-1622 CVE-2007-1893 CVE-2007-1894 CVE-2007-1897
Created:May 2, 2007 Updated:July 6, 2007
Description: Wordpress suffers from another set of vulnerabilities including a couple of cross-site scripting problems, an access restrictions bypass issue, and an SQL injection vulnerability.
Fedora FEDORA-2007-0894 wordpress 2007-07-05
Debian DSA-1285-1 wordpress 2007-05-01

Comments (none posted)

xscreensaver: password check bypass

Package(s):xscreensaver CVE #(s):CVE-2007-1859
Created:May 2, 2007 Updated:June 13, 2007
Description: On a system which uses a remote directory service for passwords, a local attacker can crash xscreensaver by disrupting network connectivity, thus bypassing the password check and gaining access to the system.
Ubuntu USN-474-1 xscreensaver 2007-06-12
Gentoo 200705-14 xscreensaver 2007-05-13
SuSE SUSE-SR:2007:009 ekiga, gnomemeeting, xscreensaver, cups, quagga 2007-05-04
rPath rPSA-2007-0088-1 xscreensaver 2007-05-03
Mandriva MDKSA-2007:097 xscreensaver 2007-05-02
Red Hat RHSA-2007:0322-01 xscreensaver 2007-05-02

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds