Predictable nonce in RFC4620 queries
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iputils (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The ping6 command can be used to send RFC 4620 queries with a syntax like this:
ping6 -c1 -Nname reflector.
RFC 4620 states:
The Nonce MUST be a random or good pseudo-random value to foil spoofed replies.
The nonce produced by ping6 is always:
00 01 69 73 51 FF 4A EC
If one invocation of ping6 sends multiple queries, the second byte is incremented between queries, but otherwise the nonce is identical.
This nonce does not satisfy the randomness requirement of RFC 4620. The initial nonce value should be read from /dev/urandom. If two ping6 invocations are started at the same time with the same arguments, they will always report duplicated replies as both are producing the same nonces. The predictability of the nonces could be exploited to spoof replies.
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: iputils-ping 3:20101006-1ubuntu1
ProcVersionSign
Uname: Linux 3.2.0-39-generic i686
NonfreeKernelMo
ApportVersion: 2.0.1-0ubuntu17.1
Architecture: i386
Date: Sat Apr 13 00:06:00 2013
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release i386 (20110427.1)
MarkForUpload: True
SourcePackage: iputils
UpgradeStatus: Upgraded to precise on 2012-05-08 (339 days ago)