The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IPv6 Routing Header Vulnerability
------------------------------------------------------------------------
SUMMARY
Processing a specially crafted IPv6 Type 0 Routing header can crash a
device running Cisco IOS software. This vulnerability does not affect IPv6
Type 2 Routing header which is used in mobile IPv6. IPv6 is not enabled by
default in Cisco IOS.
Cisco has made free software available to address this vulnerability for
affected customers.
There are workarounds available to mitigate the effects of the
vulnerability. The workaround depends on if Mobile IPv6 is used and what
version on Cisco IOS is being currently used.
This vulnerability was initially reported by a customer and further
trigger vector was discovered during developing the fix for this
vulnerability.
DETAILS
Affected Products:
* Devices running Cisco IOS and having IPv6 enabled on, at least, one of
their interface may be affected by this vulnerability.
Vulnerable Products:
To determine the software running on a Cisco product, log in to the device
and issue the show version command to display the system banner. Cisco IOS
software will identify itself as "Internetwork Operating System Software"
or simply "IOS". On the next line of output, the image name will be
displayed between parentheses, followed by "Version" and the IOS release
name. Other Cisco devices will not have the show version command or will
give different output.
The following example identifies a Cisco product running IOS release
12.4(9.10):
Cisco IOS Software, 7200 Software (C7200-JK9O3S-M), Version
12.4(9.10), INTERIM SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 29-May-06 04:42 by prod_rel_team
Additional information about Cisco IOS release naming can be found at
<http://www.cisco.com/warp/public/620/1.html>
http://www.cisco.com/warp/public/620/1.html
Details:
This vulnerability can be triggered only when Cisco IOS processes
specifically crafted IPv6 Type 0 Routing headers, which are used for
source routing. Source routing is when an originator node explicitly
specifies the exact path that a packet must take to reach the destination.
Source routing is enabled by default on Cisco IOS if IPv6 is configured on
the device. In order to trigger this vulnerability the packet must be
destined to any of the IPv6 addresses defined on the device. The exact
packet type is not relevant (e.g., TCP, ICMP, UDP) as the vulnerability is
on the IP layer. For this reason care must be taken when implementing a
workaround as this vulnerability can be triggered by a spoofed packet.
IPv6 multicast packets can not be used to trigger this vulnerability.
In addition to Type 0 Routing headers, IPv6 also supports Type 2 Routing
that is used in Mobile IPv6 implementation. Type 2 Routing headers can not
be used to trigger the vulnerability described in this Advisory.
A router running vulnerable Cisco IOS software will process Type 0 Routing
headers only if the destination address in the IPv6 packet is one of the
IPv6 addresses defined on any of the interfaces. The address may be either
a global (i.e., routable), loopback or link local address. Link local
addresses are not supposed to be routable and they are valid only among
directly connected devices.
A device may also be susceptible in scenarios where IPv6 packets are
tunneled over IPv4 networks provided that the IPv6 destination address
(after de-encapsulation) is one of the IPv6 addresses defined on the
device. This is independent of the exact encapsulation method used (e.g.,
MPLS, GRE or IPv6-in-IPv4).
This vulnerability is documented in Cisco Bug IDs <A HREF="Details
This vulnerability can be triggered only when Cisco IOS processes
specifically crafted IPv6 Type 0 Routing headers, which are used for
source routing. Source routing is when an originator node explicitly
specifies the exact path that a packet must take to reach the destination.
Source routing is enabled by default on Cisco IOS if IPv6 is configured on
the device. In order to trigger this vulnerability the packet must be
destined to any of the IPv6 addresses defined on the device. The exact
packet type is not relevant (e.g., TCP, ICMP, UDP) as the vulnerability is
on the IP layer. For this reason care must be taken when implementing a
workaround as this vulnerability can be triggered by a spoofed packet.
IPv6 multicast packets can not be used to trigger this vulnerability.
In addition to Type 0 Routing headers, IPv6 also supports Type 2 Routing
that is used in Mobile IPv6 implementation. Type 2 Routing headers can not
be used to trigger the vulnerability described in this Advisory.
A router running vulnerable Cisco IOS software will process Type 0 Routing
headers only if the destination address in the IPv6 packet is one of the
IPv6 addresses defined on any of the interfaces. The address may be either
a global (i.e., routable), loopback or link local address. Link local
addresses are not supposed to be routable and they are valid only among
directly connected devices.
A device may also be susceptible in scenarios where IPv6 packets are
tunneled over IPv4 networks provided that the IPv6 destination address
(after de-encapsulation) is one of the IPv6 addresses defined on the
device. This is independent of the exact encapsulation method used (e.g.,
MPLS, GRE or IPv6-in-IPv4).
This vulnerability is documented in Cisco Bug IDs CSCsd40334 ( registered
customers only) and CSCsd58381 ( registered customers only) .">CSCsd40334
( registered customers only) and
<http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd58381>
CSCsd58381 ( registered customers only) .
Impact:
Successful exploitation of the vulnerability listed in this Advisory can
corrupt some memory structures. In most cases this will cause the affected
device to crash and repeated exploitation could result in a sustained DoS
attack. However, due to memory corruption, there is a potential to execute
an arbitrary code. In the event of a successful remote code execution,
device integrity will have been completely compromised.
Workarounds:
The workaround consists of filtering packets that contain Type 0 Routing
header(s). Special attention must be paid not to filter packets with Type
2 Routing headers as that would break Mobile IPv6 deployment. Depending on
what Cisco IOS software release is used and if Mobile IPv6 is deployed or
not we have the following workarounds. As any packet type can be used to
trigger this vulnerability the care must be taken when implementing a
workaround to account for a spoofed packet.
Additional mitigations that can be deployed on Cisco devices within the
network are available in the Cisco Applied Intelligence companion document
for this advisory:
<http://www.cisco.com/warp/public/707/cisco-air-20070124-IOS-IPv6.shtml>
http://www.cisco.com/warp/public/707/cisco-air-20070124-IOS-IPv6.shtml
Mobile IPv6 is not deployed
For IOS releases before 12.3(4)T the workaround is to use ACLs to filter
all packets that contain Routing headers. This method can not distinguish
between Type 0 and Type 2 Routing headers so it is not suitable if Mobile
IPv6 is deployed.
The following example shows how to configure such ACLs.
Router(config)#ipv6 access-list deny-sourcerouted
Router(config-ipv6-acl)#deny ipv6 any <myaddress1> routing
Router(config-ipv6-acl)#deny ipv6 any <myaddress2> routing
Router(config-ipv6-acl)#permit ipv6 any any
Router(config-ipv6-acl)#exit
Router(config)#interface Ethernet0
Router(config-if)#ipv6 traffic-filter deny-sourcerouted in
In this example is an IPv6 address. One example of such address is
2600:dead:beef:cafe:0:1:0:1111. The ACL must be applied to all interfaces
and all IPv6 addresses that are configured. If an interface has more than
one IPv6 address configured then all addresses must be covered by the
ACLs. This also includes all loopback and "link local" addresses for each
interface.
The alternative of enumerating all IPv6 addresses is to use statement deny
ipv6 any any routing. While that simplifies the resulting ACL it will also
filter all transit IPv6 traffic with Routing headers 0 and 2. The example
where all configured IPv6 addresses are enumerated will not affect transit
traffic. This comment is applicable to all other examples in this
Advisory.
Starting from the IOS release 12.2(15)T a new command ipv6 source-route
was introduced. If applied, it will block any IPv6 packet with any IPv6
routing headers (both types 0 and 2). The configuration is given in the
following example.
Router(config)#no ipv6 source-route
This is a global command and it applies to all interfaces. The command is
applicable on all defined IPv6 addresses, including the link local and
loopback address, and on all interfaces.
Mobile IPv6 is deployed
There is no workaround if you are running a Cisco IOS release prior to
12.4(2)T. In IOS 12.4(2)T a new keyword routing-type is added to IPv6
ACLs. It can be used to selectively permit or deny specific routing types.
Router(config)#ipv6 access-list deny-sourcerouted
Router(config-ipv6-acl)#deny ipv6 any <myaddress1> routing-type 0
Router(config-ipv6-acl)#permit ipv6 any any
Router(config)#interface Ethernet0
Router(config-if)#ipv6 source-route
Router(config-if)#ipv6 traffic-filter deny-sourcerouted in
The filter must be applied to all interfaces that have IPv6 configured.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com> Cisco
Systems Product Security Incident Response Team.
The original article can be found at:
<http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml>
http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
