Vigil@nce: NetBSD, denial of service via ICMPv6 MLD
September 2008 by Vigil@nce
SYNTHESIS
An attacker can send a malicious ICMPv6 MLD packet in order to
stop the service.
Gravity: 3/4
Consequences: denial of service of computer
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 05/09/2008
Identifier: VIGILANCE-VUL-8090
IMPACTED PRODUCTS
– NetBSD [confidential versions]
DESCRIPTION
The default GENERIC kernel is compiled with the IPv6 support
(options INET6).
The sys/netinet6/mld6.c file implements Multicast Listener
Discovery (RFC 2710) which uses ICMPv6 packets to discover remote
hosts. A MLD message of Query type uses the 16 bit "Maximum
Response Delay" field (RFC 2710 - 3.1) which indicates the maximum
wait delay.
However, the mld_input() function of sys/netinet6/mld6.c file
stores the wait delay in a signed integer and then compares it
incorrectly, which leads to a kernel panic.
A remote attacker can therefore send an ICMPv6 MLD packet with a
Maximum Response Delay over 0x7FFF in order to create a denial of
service.
CHARACTERISTICS
Identifiers: CVE-2008-2464, NetBSD-SA2008-011, IGILANCE-VUL-8090,
VU#817940