computerwoche.de

Archiv

Microsoft, Juniper urged to patch dangerous IPv6 DoS hole

03.05.2011

“The flaw in the ICMPv6 protocol has only been identified in a small subset of older Juniper products, and only when configured as a host rather than a router,” he said.  “According to the protocol, devices configured as hosts must accept and process all advertised routes. This is an inherently dangerous thing to do.  If our customers must use auto-configure mode on the IPV6 host on an open LAN, then we strongly recommend whitelisting sources of acceptable routes which will protect them from bogus advertisements.”

He adds: “While individual vendors may put in patches to cover up the fundamental problem, the fact is that conforming implementations of the spec are inevitably vulnerable to route contamination even if they hide the resource exhaustion problem.  Until the IETF fix the protocol the best course of action is to only accept routes from routers that you trust by whitelisting legitimate route sources.”

If RA Guard is not available, another workaround within a Windows environments is to turn off Router Discovery, says Sam Browne, a computer networking instructor at City College San Francisco who has also been pressuring Microsoft to fix the hole. Bowne has produced a video that shows how easy the exploit is to do. (See it yourself in a .)  Turning off Router Discovery “is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It's probably appropriate for servers, but not as good for client machines,” Bowne says.

Bowne says another possibility is to set your firewall to block rogue Router Advertisements, while whitelisting them from authorized gateways. But both Bowne and Heuse say that this method is easily defeated. Heuse is even planning on demonstrating an attack that bypasses this fix later this month.

Horley also says that the attack isn’t limited to those connected to a wired LAN, either. “It does affect Windows 7 and Server 2008 machines on wireless networks too,” he said. “There is no fix for wireless networks as RA Guard is not a feasible option on wireless.”