Vigil@nce: Cisco IOS, ASA, Windows, denial of service via IPv6 ND RA
January 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can send IPv6 Neighbor Discovery Router Advertisement
packets, in order to create a denial of service in several
products.
– Severity: 1/4
– Creation date: 12/01/2011
IMPACTED PRODUCTS
– Cisco IOS
– Cisco PIX/ASA Software
– Cisco Router
DESCRIPTION OF THE VULNERABILITY
The IPv6 Neighbor Discovery protocol uses 5 types of packets (RFC
4861):
– Router Solicitation : query the Ethernet address of a gateway
– Router Advertisement : answer indicating the gateway
– etc.
When the system receives several Router Advertisement packets
using different IP addresses, a lot of resources are consumed to
process them.
An attacker can therefore send IPv6 Neighbor Discovery Router
Advertisement packets, in order to create a denial of service in
several products.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-IOS-ASA-Windows-denial-of-service-via-IPv6-ND-RA-10266