arp cache updated by replies with broadcast address

Bug #183847 reported by Augusto Santos on 2008-01-17
256
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: linux-image-generic

The Linux kernel is accepting ARP replies with entries that point to an broadcast Ethernet address, poisoning the arp cache.

The steps to reproduce this include sending an unsolicited arp reply to the given host where the hwsrc field is filled with ff:ff:ff:ff:ff:ff and the psrc field contains an IP address that already existed in the arp cache of the victim (lets say 192.168.0.1).
The consequence of this is that the kernel will update the arp cache with the entry like: 192.168.0.1 at FF:FF:FF:FF:FF:FF, and will send all packets directed to 192.168.0.1 to the broadcast destination. This will allow attackers to easy sniff all the traffic destined to the host 192.168.0.1, coming from the compromised machine.

Scapy can be used to create such packet with the command:pack = Ether(dst="<MAC_OF_VICTIM>")/ARP(op=2, psrc="192.168.0.1", hwsrc="ff:ff:ff:ff:ff:ff").
This must then be send, at regular intervals, with the command sendp(pack).

If this behavior is present at the linux-image-server server this might be a bigger problem. On server environments, where Linux maybe used as a router, this behavior goes against RFC 1812, that states:

"3.3.2 Address Resolution Protocol - ARP
(...)
A router MUST not believe any ARP reply that claims that the Link Layer address of another host or router is a broadcast or multicast address."

Testes performed on Kubuntu 7.10, command line only installation, kernel 2.6.22-14-generic.

Kees Cook (kees) on 2009-01-23
Changed in linux-meta:
status: New → Confirmed
Changed in linux:
importance: Undecided → Medium
kernel-janitor (kernel-janitor) wrote :

This bug report was marked as Confirmed a while ago but has not had any updated comments for quite some time. Please let us know if this issue remains in the current Ubuntu release, http://www.ubuntu.com/getubuntu/download . If the issue remains, click on the current status under the Status column and change the status back to "New". Thanks.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: kj-triage
Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Jeremy Foshee (jeremyfoshee) wrote :

This bug report was marked as Incomplete and has not had any updated comments for quite some time. As a result this bug is being closed. Please reopen if this is still an issue in the current Ubuntu release http://www.ubuntu.com/getubuntu/download . Also, please be sure to provide any requested information that may have been missing. To reopen the bug, click on the current status under the Status column and change the status back to "New". Thanks.

[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: kj-expired
Changed in linux (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers