ip6tables is missing libip6t_rt.so to filter the IPv6 RH0 exploit
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
iptables (Ubuntu) |
Fix Released
|
High
|
Kees Cook | ||
Dapper |
Fix Released
|
High
|
Kees Cook | ||
Edgy |
Fix Released
|
High
|
Kees Cook | ||
Feisty |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Binary package hint: iptables
In order to implement recommended[1] filtering for all IPv6 PoP's and routers, the RT match (routing header) is required. This recommendation is due to the following security DoS concern: http://
The recommended commands to drop this type of routing is:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP
On a properly configured Linux kernel, this fails on Ubuntu Fesity with:
ip6tables v1.3.5: Couldn't load match `rt':/lib/
I believe this is due to the iptables package not shipping with the RT match (probably due to the version being too old).
Given that IPv6 is supported in Feisty, and given that this is a serious potential DoS problem, I am tagging this as a security vulnerability.
The solution to fix is as obvious as it is non-trivial. Support the rt type match with iptables.
Changed in iptables: | |
assignee: | nobody → keescook |
I forgot to add the [1] reference: http:// www.ipv4. sixxs.net/ faq/connectivit y/?faq= filters