> -----Original Message-----
> From: FreeBSD Security Advisories
> [mailto:security-advisories@xxxxxxxxxxx]
> Sent: Friday, April 27, 2007 3:50 AM
> To: Bugtraq
> Subject: FreeBSD Security Advisory FreeBSD-SA-07:03.ipv6
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ==============================================================
> ===============
> FreeBSD-SA-07:03.ipv6
> Security Advisory
> The
> FreeBSD Project
>
> Topic: IPv6 Routing Header 0 is dangerous
>
> Category: core
> Module: ipv6
> Announced: 2007-04-26
> Credits: Philippe Biondi, Arnaud Ebalard, Jun-ichiro
> itojun Hagino
> Affects: All FreeBSD releases.
> Corrected: 2007-04-24 11:42:42 UTC (RELENG_6, 6.2-STABLE)
> 2007-04-26 23:42:23 UTC (RELENG_6_2, 6.2-RELEASE-p4)
> 2007-04-26 23:41:59 UTC (RELENG_6_1, 6.1-RELEASE-p16)
> 2007-04-24 11:44:23 UTC (RELENG_5, 5.5-STABLE)
> 2007-04-26 23:41:27 UTC (RELENG_5_5, 5.5-RELEASE-p12)
> CVE Name: CVE-2007-2242
>
> I. Background
>
> IPv6 provides a routing header option which allows a packet sender to
> indicate how the packet should be routed, overriding the
> routing knowledge
> present in a network. This functionality is roughly equivalent to the
> "source routing" option in IPv4. All nodes in an IPv6 network -- both
> routers and hosts -- are required by RFC 2640 to process such headers.
>
> II. Problem Description
>
> There is no mechanism for preventing IPv6 routing headers
> from being used
> to route packets over the same link(s) many times.
>
> III. Impact
>
> An attacker can "amplify" a denial of service attack against
> a link between
> two vulnerable hosts; that is, by sending a small volume of
> traffic the
> attacker can consume a much larger amount of bandwidth between the two
> vulnerable hosts.
>
> An attacker can use vulnerable hosts to "concentrate" a
> denial of service
> attack against a victim host or network; that is, a set of
> packets sent
> over a period of 30 seconds or more could be constructed such
> that they
> all arrive at the victim within a period of 1 second or less.
>
> Other attacks may also be possible.
>
> IV. Workaround
>
> No workaround is available.
>
> V. Solution
>
> NOTE WELL: The solution described below causes IPv6 type 0
> routing headers
> to be ignored. Support for IPv6 type 0 routing headers can
> be re-enabled
> if required by setting the newly added
> net.inet6.ip6.rthdr0_allowed sysctl
> to a non-zero value.
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
> RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
> correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 5.5, 6.1,
> and 6.2 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch
> # fetch
>
> b) Apply the patch.
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:> and reboot the
> system.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Branch
> Revision
> Path
> -
> --------------------------------------------------------------
> -----------
> RELENG_5
> src/sys/netinet6/in6.h
> 1.35.2.5
> src/sys/netinet6/in6_proto.c
> 1.29.2.5
> src/sys/netinet6/route6.c
> 1.10.4.2
> RELENG_5_5
> src/UPDATING
> 1.342.2.35.2.12
> src/sys/conf/newvers.sh
> 1.62.2.21.2.14
> src/sys/netinet6/in6.h
> 1.35.2.3.2.1
> src/sys/netinet6/in6_proto.c
> 1.29.2.4.2.1
> src/sys/netinet6/route6.c
> 1.10.4.1.4.1
> RELENG_6
> src/sys/netinet6/in6.h
> 1.36.2.8
> src/sys/netinet6/in6_proto.c
> 1.32.2.6
> src/sys/netinet6/route6.c
> 1.11.2.2
> RELENG_6_2
> src/UPDATING
> 1.416.2.29.2.7
> src/sys/conf/newvers.sh
> 1.69.2.13.2.7
> src/sys/netinet6/in6.h
> 1.36.2.7.2.1
> src/sys/netinet6/in6_proto.c
> 1.32.2.5.2.1
> src/sys/netinet6/route6.c
> 1.11.2.1.4.1
> RELENG_6_1
> src/UPDATING
> 1.416.2.22.2.18
> src/sys/conf/newvers.sh
> 1.69.2.11.2.18
> src/sys/netinet6/in6.h
> 1.36.2.6.2.1
> src/sys/netinet6/in6_proto.c
> 1.32.2.4.2.1
> src/sys/netinet6/route6.c
> 1.11.2.1.2.1
> -
> --------------------------------------------------------------
> -----------
>
> VII. References
>
>
>
>
>
> The latest revision of this advisory is available at
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (FreeBSD)
>
> iD4DBQFGMTlvFdaIBMps37IRApu3AJYsifWIDLcyxNcMdnkvw4nBqXFoAJ43+IzB
> M5sIdCmLQABByFlbMB2BjQ==
> =OrNf
> -----END PGP SIGNATURE-----
>
