Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Microsoft, Juniper urged to patch dangerous IPv6 DoS hole

Julie Bort, Network World | May 3, 2011
Security experts are urging Microsoft and Juniper to patch a year-old IPv6 vulnerability so dangerous it can freeze any Windows machine on a LAN in a matter of minutes.

Heuse has also called Juniper out on the carpet for dragging its feet to fix the hole. Juniper's Lunk argues that the RA advertisement problem stems from a flaw in the ICMPv6 protocol and should be fixed by the IETF.

"The flaw in the ICMPv6 protocol has only been identified in a small subset of older Juniper products, and only when configured as a host rather than a router," he said. "According to the protocol, devices configured as hosts must accept and process all advertised routes. This is an inherently dangerous thing to do. If our customers must use auto-configure mode on the IPV6 host on an open LAN, then we strongly recommend whitelisting sources of acceptable routes which will protect them from bogus advertisements."

He adds: "While individual vendors may put in patches to cover up the fundamental problem, the fact is that conforming implementations of the spec are inevitably vulnerable to route contamination even if they hide the resource exhaustion problem. Until the IETF fix the protocol the best course of action is to only accept routes from routers that you trust by whitelisting legitimate route sources."

If RA Guard is not available, another workaround within a Windows environments is to turn off Router Discovery, says Sam Browne, a computer networking instructor at City College San Francisco who has also been pressuring Microsoft to fix the hole. Bowne has produced a video that shows how easy the exploit is to do. (See it yourself in a related blog post on Network World's Microsoft Subnet.) Turning off Router Discovery "is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It's probably appropriate for servers, but not as good for client machines," Bowne says.

Bowne says another possibility is to set your firewall to block rogue Router Advertisements, while whitelisting them from authorized gateways. But both Bowne and Heuse say that this method is easily defeated. Heuse is even planning on demonstrating an attack that bypasses this fix later this month.

Horley also says that the attack isn't limited to those connected to a wired LAN, either. "It does affect Windows 7 and Server 2008 machines on wireless networks too," he said. "There is no fix for wireless networks as RA Guard is not a feasible option on wireless."

On the other hand, Horley also admits that on the wireless side, "the greatest risk of being affected is when joining an open network. Assuming the machine is on a trusted, secure wireless network, unless it is 'owned' there is no reason someone would run this exploit unless they were being malicious." He also notes: "There are likely far better exploits out there then a simple DOS attack if you have managed to connect to the secure wireless network."


Previous Page  1  2  3  4  Next Page 

Sign up for Computerworld eNewsletters.