NetworkManager IPv6 DAD lifetime behavior introduce security risk

Bug #1796622 reported by David Chen on 2018-10-08
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
High
Unassigned
Bionic
High
Unassigned
Cosmic
High
Till Kamppeter
Disco
High
Unassigned

Bug Description

Description:
When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not.

According to https://tools.ietf.org/search/rfc4862, page 19:
"The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect."

Other notes:
- 2 test cases pass without NetworkManager.
- Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail.

Bryan Quigley (bryanquigley) wrote :

Hi David,

Thanks for reporting this and helping to make open source software more secure.

What is the "IPv6 certification test"? Can we get access to it or at least the "two DAD test cases (3.2.5c and d)"

What version of Ubuntu/network-manager have been tested? If not tested please test the development release as well and it's n-m of 1.12.4-1ubuntu1.

Does this issue need to be kept private or is it a generally known issue?

Have you reported it to other Linux distros or network-manager upstream (https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues) ?

Thanks!
Bryan

David Chen (david.chen) on 2018-10-11
information type: Private Security → Public Security
David Chen (david.chen) wrote :

Hi Bryan,

Here is the information for those 2 cases:

v6LC_3_2_4_C - Prefix Lifetime less than the Remaining Lifetime and the Remaining Lifetime is less than 2 hours
http://fnet.sourceforge.net/ip6_tests/Self_Test_5-0-0/addr.p2/v6LC_3_2_4_C.html

RA_gt2lt2 - Prefix Lifetime less than 2 hours and the Remaining Lifetime is greater than 2 hours
http://fnet.sourceforge.net/ip6_tests/Self_Test_5-0-0/addr.p2/RA_gt2lt2.html

I think I chose private by mistake, and I have changed it to public.
I haven't reported it to other Linux distro or network-manager upstream. If doing so can get more visibility, I will do it.

Thanks and Regards,
-David

Will Cooke (willcooke) wrote :

Spoke to upstream. They will look in to this and get it fixed. I've asked David to log it upstream and we can link to that here.

We should look at backport the fixes and SRUing to Bionic.

David Chen (david.chen) wrote :

Upstream issue reported:

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/57

Thanks for looking into it.

Will Cooke (willcooke) wrote :

Upstream fix: https://github.com/NetworkManager/NetworkManager/pull/228

This will be ported to all supported releases soon, so we should be able to pick that up easily enough.

David Chen (david.chen) wrote :

Investigation found that DAD timeout for IPv6 seems to be not implemented for network manager [1]. And only support up to IPv4. It looks like a limitation but couldn't find any writing confirmation for this limitation.

[1] https://developer.gnome.org/NetworkManager/stable/settings-ipv6.html

David Chen (david.chen) wrote :

Thank you Will!
We are running Ubuntu 16.04 with network-manager version 1.2.6, that will be fixed too?

Will Cooke (willcooke) wrote :

It should be yes, but I'd like to look at the changes needed before going any further. Looking at the diff, it doesnt look too bad for the current version on n-m. With some luck it will be backported by upstream, if not we'll take a look.

Release of Cosmic is next week, so I dont think this will get any traction until that's out the door, but then we will get on the case.

Changed in network-manager (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in network-manager (Ubuntu Disco):
assignee: nobody → Andrea Azzarone (azzar1)
importance: Undecided → High
Sebastien Bacher (seb128) wrote :

The issue was fixed in 1.12.6 which has been uploaded to disco, https://launchpad.net/ubuntu/+source/network-manager/1.12.6-0ubuntu1

Changed in network-manager (Ubuntu Disco):
assignee: Andrea Azzarone (azzar1) → nobody
status: New → Fix Committed
Jeremy Bicha (jbicha) wrote :

This is fixed in Disco; I opened Bionic and Cosmic tasks since the bug needs to be open in some way for it to be tracked.

Changed in network-manager (Ubuntu Disco):
status: Fix Committed → Fix Released
Jeremy Bicha (jbicha) wrote :

The bionic fix is included in the upstream 1.10.14 release:
https://launchpad.net/ubuntu/+source/network-manager/1.10.14-0ubuntu1

1.12.6 has the fix for cosmic.

Changed in network-manager (Ubuntu Bionic):
status: New → Fix Committed
importance: Undecided → High
Changed in network-manager (Ubuntu Cosmic):
importance: Undecided → High
Changed in network-manager (Ubuntu Cosmic):
assignee: nobody → Till Kamppeter (till-kamppeter)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers