Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: NetBSD, denial of service via ICMPv6 MLD

September 2008 by Vigil@nce


An attacker can send a malicious ICMPv6 MLD packet in order to stop the service.

Gravity: 3/4

Consequences: denial of service of computer

Provenance: internet client

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 05/09/2008

Identifier: VIGILANCE-VUL-8090


- NetBSD [confidential versions]


The default GENERIC kernel is compiled with the IPv6 support (options INET6).

The sys/netinet6/mld6.c file implements Multicast Listener Discovery (RFC 2710) which uses ICMPv6 packets to discover remote hosts. A MLD message of Query type uses the 16 bit "Maximum Response Delay" field (RFC 2710 - 3.1) which indicates the maximum wait delay.

However, the mld_input() function of sys/netinet6/mld6.c file stores the wait delay in a signed integer and then compares it incorrectly, which leads to a kernel panic.

A remote attacker can therefore send an ICMPv6 MLD packet with a Maximum Response Delay over 0x7FFF in order to create a denial of service.


Identifiers: CVE-2008-2464, NetBSD-SA2008-011, IGILANCE-VUL-8090, VU#817940

See previous articles


See next articles