Next Page >>
IPv6 security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software IPv6 Denial of Service
Vulnerability
Advisory ID: cisco-sa-20110928-ipv6
Revision 1.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS User Datagram Protocol Delivery
Issue For IPv4/IPv6 Dual-stack Routers
Advisory ID: cisco-sa-20080326-IPv4IPv6
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances. This security
advisory outlines details of these vulnerabilities:
* Windows NT Domain Authentication Bypass Vulnerability
* IPv6 Denial of Service Vulnerability
* Crypto Accelerator Memory Leak Vulnerability
Note: These vulnerabilities are independent of each other. A device may
be affected by one vulnerability and not affected by another.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6
Vulnerabilities
Advisory ID: cisco-sa-20090325-mobileip
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco IOS Software IPv6 over MPLS
Vulnerabilities
Advisory ID: cisco-sa-20110928-ipv6mpls
Revision 1.0
Folks,
We have created the "IPv6 Hackers" mailing-list for discussion of IPv6
security issues. The charter of the list is:
---- cut here ----
This list was created for the discussion of IPv6 security issues and
low/packet-level issues related to the IPv6 protocols. It is meant to
provide forum for IPv6 security researchers and IPv6 networking
professionals to discuss low-level IPv6 networking and security issues
> well and you informed vendors, but the only vendor who really has RA
> support so far is Cisco, and they did not know.
We had worked on this thing for a while. IIRC, I talked with a few guys
about this in November 2010 or so (including, IIRC, some guys involved
in NDPMon)-- For instance, I posted on the ipv6ops mailing-list (in
November/December 2010) a few comments noting that RA-Guard could be evaded.
(And, FWIW, vendors have been sitting on a number of other ND issues
that I asked them to perform on their systems for more than a year now.
-- as an example, see my slides for LACSEC 2011 at
=============================================================================
FreeBSD-SA-08:10.nd6 Security Advisory
The FreeBSD Project
Topic: IPv6 Neighbor Discovery Protocol routing vulnerability
Category: core
Module: sys_netinet6
Announced: 2008-10-01
Credits: David Miles
Overview:
When flooding the local network with random router advertisements,
hosts and routers update the network information, consuming all
available CPU resources, making the systems unusable and unresponsive.
As IPv6 and autoconfiguration are enabled by default, all are
affected in their default configuration.
For Windows, a personal firewall or similar security product does not
protect against this attack.
Note: Microsoft does not want to fix this security issue for their
Folks,
We've just published an IETF internet-draft about IPv6 host scanning
attacks.
The aforementioned document is available at:
<http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
The Abstract of the document is:
---- cut here ----
=============================================================================
FreeBSD-SA-08:09.icmp6 Security Advisory
The FreeBSD Project
Topic: Remote kernel panics on IPv6 connections
Category: core
Module: sys_netinet6
Announced: 2008-09-03
Credits: Tom Parker, Bjoern A. Zeeb
Folks,
We've just posted a revision of our IETF Internet-Draft entitled "A
method for Generating Stable Privacy-Enhanced Addresses with IPv6
Stateless Address Autoconfiguration (SLAAC)".
The document is available at:
<http://tools.ietf.org/id/draft-gont-6man-stable-privacy-addresses-01.txt>
The abstract of the document is:
header before the ICMPv6 part.
So the packets look like:
Fragment 1:
IPv6 Header
Fragmentation Header
Destination Header (~1400 bytes)
Fragment 2:
IPv6 Header
* We've published a new IETF I-D entitled "DHCPv6-Shield: Protecting
Against Rogue DHCPv6 Servers", which is meant to provide RA-Guard-like
protection against rogue DHCPv6 servers. The I-D is available at:
<http://tools.ietf.org/id/draft-gont-opsec-dhcpv6-shield-00.txt>
Other I-Ds (such as, draft-ietf-v6ops-ra-guard-implementation) about
IPv6 security have been revised Please check them out at:
<http://www.si6networks.com/publications/ietf.html>
* The slideware (and some videos!) of some of our recent presentations
about IPv6 security are now available online. You can find them at:
<http://www.si6networks.com/presentations/index.html>
Hi Fernando,
to quote from your drafts:
> As part of the project "Security Assessment of the Internet Protocol
> version 6 (IPv6)" [CPNI-IPv6], we devised a number of techniques for
> circumventing the RA-Guard protection, which are described in the
> following sections of this document. These techniques, and the
> corresponding tools to assess their effectiveness, had so far been
> made available only to vendors, in the hopes that they could
> implement counter-measures before they were publicly disclosed.
The Cisco Wireless LAN Controller (WLC) product family is affected by
the following vulnerabilities:
* Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability
* Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability
* Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability
* Cisco Wireless LAN Controllers Unauthorized Access Vulnerability
Cisco has released free software updates that address these
Identification Values"
(http://tools.ietf.org/id/draft-gont-6man-predictable-fragment-id-00.txt).
Its abstract is:
---- cut here ----
IPv6 specifies the Fragment Header, which is employed for the
fragmentation and reassembly mechanisms. The Fragment Header
contains an "Identification" field which, together with the IPv6
Source Address and the IPv6 Destination Address of the packet,
identifies fragments that correspond to the same original datagram,
such that they can be reassembled together at the receiving host.
=======================================================
Apple did NOT fix the predictable IP ID issue in its products
(in Leopard 10.5.2).
IPv6
====
None of the vendors addressed the similar issues in IPv6.
Misc.
Folks,
We have uploaded the slides of my IPv6 Security presentation at H2HC
2011 <http://www.h2hc.com.br/?lang=en>. -- The slides are available at:
<http://www.si6networks.com/presentations/h2hc2011/fgont-h2hc2011-ipv6-security.pdf>.
That aside, on November 15-16 I'll be teaching a two-day IPv6 security
training at the DEEPSEC 2011 conference in Vienna
(http://www.deepsec.net). Please check out the details at:
<http://www.deepsec.net/speaker.html#WSLOT40>.
ftp://srt80063:srt80063@hprc.external.hp.com
HP-UX Release Apache Depot name MD5 Sum
==========================================================================
B.11.11 (IPv4 and IPv6) HPUXWSA-B219-02-1111ipv6.depot 24f4180fddf1f07cd29bff1b2e658ca6
B.11.23 PA-32 HPUXWSA-B219-02-1123-32.depot 6deb7bb01a580427523c9f80cec36774
B.11.23 IA-64 HPUXWSA-B219-02-1123-64.depot 38419a29e5076b62084cd3f1a135a9ce
B.11.31 PA-32 HPUXWSA-B219-02-1131-32.depot d84daf07600e98353ca54b723ccbf8f6
B.11.31 IA-64 HPUXWSA-B219-02-1131-64.depot 7393c2113abbc1815539050d47f1f66a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:10.ipv6 Security Advisory
The FreeBSD Project
Topic: Missing permission check on SIOCSIFINFO_IN6 ioctl
Category: core
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/inspect_overview.html#wp1536127
Note: Only transit traffic can be used to exploit this vulnerability.
This vulnerability affects both routed and transparent firewall mode
in both single and multi-context mode. This vulnerability can be
triggered by IPv4 and IPv6 traffic. Only UDP traffic can trigger this
vulnerability.
This vulnerability is documented in Cisco bug ID, CSCtq10441 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2012-0353.
a fake proxy (WPAD), a malicious access point (Karmetasploit), or basic
network traffic interception to gain access to client machines. These
modules tie together browser_autopwn, SMB relaying, and HTTP credential
and form capturing to pillage data from client systems.
Nearly all Metasploit modules now support IPv6 transports. IPv6 stagers
exist for the Windows and Linux platforms, opening the door for
penetration
testing of pure IPv6 networks. The VNCInject and Meterpreter payloads have
been extensively tested over IPv6 sockets.
II. Problem Description
When logging in via SSH with X11-forwarding enabled, sshd(8) fails to
correctly handle the case where it fails to bind to an IPv4 port but
successfully binds to an IPv6 port. In this case, applications which
use X11 will connect to the IPv4 port, even though it had not been
bound by sshd(8) and is therefore not being securely forwarded.
III. Impact
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The IPsec suite of protocols provide network level security for IPv4
and IPv6 packets. FreeBSD includes software originally developed by
the KAME project which implements the various protocols that make up
IPsec.
II. Problem Description
Folks,
We have published a revision of our IETF Internet-Draft "Security
Implications of the Use of IPv6 Extension Headers with IPv6 Neighbor
Discovery".
The revised I-D is available at:
<http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-02.txt>
This revision includes, among other thing, a discussion of possible
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Folks,
We have uploaded the slides of the IPv6 Security talk I gave at Hack.lu
2011. The slides are available at:
<http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ip-security.pdf>
A list of conferences at which we will be presenting this year is
available at: <http://www.si6networks.com/index.html#conferences>, and
Creation date: 2012-03-03
WG ID: Individual Submission
Number of pages: 21
Abstract:
IPv6 specifies the Fragment Header, which is employed for the
fragmentation and reassembly mechanisms. The Fragment Header
contains an "Identification" field which, together with the
IPv6
Source Address and the IPv6 Destination Address of the packet,
identifies fragments that correspond to the same original datagram,
Folks,
We've just published a new IETF I-D entitled "A method for Generating
Stable Privacy-Enhanced Addresses with IPv6 Stateless Address
Autoconfiguration (SLAAC)".
The abstract of the I-D is:
---- cut here ----
This document specifies a method for generating IPv6 Interface
Identifiers to be used with IPv6 Stateless Address Autoconfiguration
Cisco IOS devices are vulnerable if they are configured for MPLS VPN
or VRF Lite and have a BGP session between the CE and PE devices, and
process extended communities. If a device is configured for MPLS VPN
or VRF Lite the command address-family ipv4 vrf <vrf-name> or
address-family ipv6 vrf <vrf-name> will be present in the device
configuration.
The following shows a command executed on a device configured for
MPLS VPN:
Next Page>>
|
