Vigil@nce: NetBSD, denial of service via ICMPv6 MLD
September 2008 by Vigil@nce
An attacker can send a malicious ICMPv6 MLD packet in order to stop the service.
Consequences: denial of service of computer
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 05/09/2008
NetBSD [confidential versions]
The default GENERIC kernel is compiled with the IPv6 support (options INET6).
The sys/netinet6/mld6.c file implements Multicast Listener Discovery (RFC 2710) which uses ICMPv6 packets to discover remote hosts. A MLD message of Query type uses the 16 bit "Maximum Response Delay" field (RFC 2710 - 3.1) which indicates the maximum wait delay.
However, the mld_input() function of sys/netinet6/mld6.c file stores the wait delay in a signed integer and then compares it incorrectly, which leads to a kernel panic.
A remote attacker can therefore send an ICMPv6 MLD packet with a Maximum Response Delay over 0x7FFF in order to create a denial of service.
Identifiers: CVE-2008-2464, NetBSD-SA2008-011, IGILANCE-VUL-8090, VU#817940