FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- IPv6 Neighbor Discovery Protocol routing vulnerability

Affected systems
6.3 < FreeBSD < 6.3_5
7.0 < FreeBSD < 7.0_5

Details

VuXML ID 6b8cadce-db0b-11dd-aa56-000bcdf0a03b
Discovery 2008-10-01
Entry 2009-01-05

Problem Description

IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node.

Impact:

An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic.

Workaround:

Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully.

Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface.

IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications.

References

CVE Name CVE-2008-2476
FreeBSD Advisory SA-08:10.nd6