#22486: CVE-2016-1409 = IPv6 ND DoS
-----------------------+------------------------
Reporter: anonymous | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone:
Component: packages | Version: Trunk
Keywords: |
-----------------------+------------------------
can anyone check if trunk or chaos_calmer are affected?
CVE-2016-1409
Published: 2016 May 25 16:00 GMT
Cisco Advisory ID: cisco-sa-20160525-ipv6
/cisco quote:
A vulnerability in the IP Version 6 (IPv6) packet processing functions of
multiple [Cisco] products could allow an unauthenticated, remote attacker
to cause an affected device to stop processing IPv6 traffic, leading to a
denial of service (DoS) condition on the device.
The vulnerability is due to insufficient processing logic for crafted IPv6
packets that are sent to an affected device. An attacker could exploit
this vulnerability by sending crafted IPv6 Neighbor Discovery packets to
an affected device for processing. A successful exploit could allow the
attacker to cause the device to stop processing IPv6 traffic, leading to a
DoS condition on the device.
'''This vulnerability is not Cisco specific: any IPv6 processing unit not
capable of dropping such packets early in the processing path or in
hardware is affected by this vulnerability.'''
Workarounds
There are no workarounds that address this vulnerability.
Customers should rely on external mitigation techniques, such as denying
IPv6 ND packets in an access control list (ACL) placed on an Internet edge
router, to protect infrastructure devices behind those routers. IPv6 ND
packets should be limited to local links and dropping them on the edge can
help protect the infrastructure. It is a commonly accepted best practice
to drop these packets at the Internet edge. Alternatively, configuring
static IPv6 neighbors where possible, and denying all IPv6 ND packets at
the edge help mitigate this vulnerability.
Fixed Software
All releases of Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE
Software, and Cisco NX-OS Software are affected by the vulnerability
described in this advisory.
Currently, there are no software updates that address this vulnerability.
Updates for affected software releases will be published when they are
available[...]
/end cisco quote
--
Ticket URL: <https://dev.openwrt.org/ticket/22486>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
openwrt-tickets@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
