NetworkManager IPv6 DAD lifetime behavior introduce security risk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Won't Fix
|
High
|
Unassigned | ||
Cosmic |
Won't Fix
|
High
|
Unassigned | ||
Disco |
Fix Released
|
High
|
Unassigned |
Bug Description
Description:
When performing IPv6 certification test, two DAD test cases (3.2.5c and d) check the remaining lifetime feature of the IPv6 packets. The Network trace shows that the remaining lifetime becomes infinite when running these test cases. Hence when running in IPv6 environment with Network Manager enabled, there is a risk of packets travelling in network which has valid lifetime always. If these packets are snooped by a hacker he can reply to these packets and they can send legitimate packets which are actually not.
According to https:/
"The above rules address a specific denial-of-service attack in which a bogus advertisement could contain prefixes with very small Valid Lifetimes. Without the above rules, a single unauthenticated advertisement containing bogus Prefix Information options with short Valid Lifetimes could cause all of a node's addresses to expire prematurely. The above rules ensure that legitimate advertisements (which are sent periodically) will "cancel" the short Valid Lifetimes before they actually take effect."
Other notes:
- 2 test cases pass without NetworkManager.
- Tested with different Linux Desktop Distributions, as long as NetworkManager is running, those DAD test cases fail.
information type: | Private Security → Public Security |
Changed in network-manager (Ubuntu Disco): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
importance: | Undecided → High |
Changed in network-manager (Ubuntu Cosmic): | |
assignee: | nobody → Till Kamppeter (till-kamppeter) |
Hi David,
Thanks for reporting this and helping to make open source software more secure.
What is the "IPv6 certification test"? Can we get access to it or at least the "two DAD test cases (3.2.5c and d)"
What version of Ubuntu/ network- manager have been tested? If not tested please test the development release as well and it's n-m of 1.12.4-1ubuntu1.
Does this issue need to be kept private or is it a generally known issue?
Have you reported it to other Linux distros or network-manager upstream (https:/ /gitlab. freedesktop. org/NetworkMana ger/NetworkMana ger/issues) ?
Thanks!
Bryan