Predictable nonce in RFC4620 queries

Bug #1168568 reported by Kasper Dupont
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iputils (Ubuntu)
New
Undecided
Unassigned

Bug Description

The ping6 command can be used to send RFC 4620 queries with a syntax like this:
ping6 -c1 -Nname reflector.easyv6.net

RFC 4620 states:
   The Nonce MUST be a random or good pseudo-random value to foil spoofed replies.

The nonce produced by ping6 is always:
   00 01 69 73 51 FF 4A EC

If one invocation of ping6 sends multiple queries, the second byte is incremented between queries, but otherwise the nonce is identical.

This nonce does not satisfy the randomness requirement of RFC 4620. The initial nonce value should be read from /dev/urandom. If two ping6 invocations are started at the same time with the same arguments, they will always report duplicated replies as both are producing the same nonces. The predictability of the nonces could be exploited to spoof replies.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: iputils-ping 3:20101006-1ubuntu1
ProcVersionSignature: Ubuntu 3.2.0-39.62-generic 3.2.39
Uname: Linux 3.2.0-39-generic i686
NonfreeKernelModules: nvidia
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: i386
Date: Sat Apr 13 00:06:00 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
MarkForUpload: True
SourcePackage: iputils
UpgradeStatus: Upgraded to precise on 2012-05-08 (339 days ago)

Revision history for this message
Kasper Dupont (ubuntu-launchpad-feb) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.