Subject: NetBSD Security Advisory 2007-005: IPv6 Type 0 Routing Header
To: None <current-users@NetBSD.org>
From: NetBSD Security-Officer <security-officer@netbsd.org>
List: current-users
Date: 09/13/2007 22:53:30 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2007-005
		 =================================

Topic:		IPv6 Type 0 Routing Header

Version:	NetBSD-current:	source prior to April 22, 2007
		NetBSD 4.0_BETA2	affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected
		NetBSD 2.1:		affected
		NetBSD 2.0.*:		affected
		NetBSD 2.0:		affected

Severity:	Remote Denial of Service 

Fixed:		NetBSD-current:		April 22, 2007
		NetBSD-4 branch:	April 28, 2007
			(4.0 will include the fix)
		NetBSD-3-1 branch	April 26, 2007
			(3.1.1 will include the fix)
		NetBSD-3-0 branch:	April 26, 2007
			(3.0.3 will include the fix)
		NetBSD-3 branch:	April 26, 2007
		NetBSD-2-1 branch:	June 04, 2007
		NetBSD-2-0 branch:	June 04, 2007
		NetBSD-2 branch:	June 04, 2007

Abstract
========

A crafted IPv6 Type 0 Routing Header packet(s) can be used to launch a 
denial of service attack on an IPv6 host.

This vulnerability has been assigned CVE reference CVE-2007-2242.

Technical Details
=================

A remote attacker can transmit crafted IPv6 packets using a Type 0 Routing 
Header. The result is a type of denial of service attack known as a
traffic amplification attack where the bandwidth between the sending 
and receiving hosts increases during the attack.

Solutions and Workarounds
=========================

To rectify these problems a kernel built from sources containing the
fixes must be installed and the system rebooted. The fixes introduce a
new sysctl(8) that can be used to control the processing of IPv6 type 0
packets. The new sysctl is named net.inet6.ip6.rht0 and has three possible
values:

	-1	Processing is disabled (default).
	 0	Processing is enabled only for routers and not for hosts.
	 1	Processing is enabled for both routers and hosts.

NOTE: This sysctl was later removed from NetBSD-current on May 17 2007 and
the default was hard set to drop IPv6 type 0 packets. This sysctl may
disappear from future NetBSD releases.

The following instructions describe how to upgrade your kernel
by updating your source tree and rebuilding and installing a new version
of the kernel.

For more information on how to do this, see:

    http://www.NetBSD.org/guide/en/chap-kernel.html

* NetBSD-current:

	Systems running NetBSD-current dated from before 2007-04-22
	should be upgraded to NetBSD-current dated 2007-04-23 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		sys/netinet6/ip6_input.c
		sys/netinet6/ip6_var.h
		sys/netinet6/route6.c
		share/man/man7/sysctl.7

	To update from CVS, re-build, and re-install a kernel containing
	the fix:

		# cd src
		# cvs update sys/netinet6/ip6_input.c
		# cvs update sys/netinet6/ip6_var.h
		# cvs update sys/netinet6/route6.c
		# cvs update share/man/man7/sysctl.7
		# build.sh tools kernel=KERNCONFFILE

* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2007-04-26 should be upgraded from NetBSD 3.* sources dated
	2007-04-27 or later.

	The following files need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		sys/netinet6/ip6_input.c
		sys/netinet6/ip6_var.h
		sys/netinet6/route6.c
		sbin/sysctl/sysctl.8	

	To update from CVS, re-build, and re-install a kernel containing
	the fix:

		# cd src
		# cvs update -r <branch_name> sys/netinet6/ip6_input.c
		# cvs update -r <branch_name> sys/netinet6/ip6_var.h
		# cvs update -r <branch_name> sys/netinet6/route6.c
		# cvs update -r <branch_name> sbin/sysctl/sysctl.8
		# build.sh tools kernel=KERNCONFFILE

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2007-06-04 should be upgraded from NetBSD 2.* sources dated
	2007-06-05 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branches:
		sys/netinet6/ip6_input.c
		sys/netinet6/ip6_var.h
		sys/netinet6/route6.c
		sbin/sysctl/sysctl.8	

	To update from CVS, re-build, and re-install a kernel containing
	the fix:

		# cd src
		# cvs update -r <branch_name> sys/netinet6/ip6_input.c
		# cvs update -r <branch_name> sys/netinet6/ip6_var.h
		# cvs update -r <branch_name> sys/netinet6/route6.c
		# cvs update -r <branch_name> sbin/sysctl/sysctl.8
		# build.sh tools kernel=KERNCONFFILE

Thanks To
=========

Philippe Biondi and Arnaud Ebalard for discovering and reporting this problem.

Revision History
================

	2007-09-13	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2007-005.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2007, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: rt14129_RH0.txt,v 1.3 2007/08/18 20:37:42 mjf Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQCVAwUBRuhdNz5Ru2/4N2IFAQLEkwP/Q8npU5jzm/s95MYHECcGTdW5xPOZu5Pv
UHd8W8/k8e7BygW8hhfrXZQjFmglDsdvkwQL5stPQeWNmYdJAe280UAwn6v+FoTw
LwraKzI82iV1tYhBGlq/TbrkGI4JOmEqpUqqSGtGDnrYT7ZgU0/87VGyHCftvOjE
e0KiJD5McZU=
=1z0U
-----END PGP SIGNATURE-----