Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161)

DESCRIPTION
In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 address. If such a packet is received and not directed to a local IPv6 address it will be routed back to the point-to-point link due to the link prefix route; the upstream ISP router will in its turn route the IPv6 packet back due to the assigned prefix route creating a “ping pong” effect.

The possible routing loop on point-to-point links (e.g PPP) can happen when router advertisements are received having at least one global unique IPv6 prefix for which the on-link flag is set. The WAN interface is assigned the global unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked which will be installed on the wan interface (e.g. 2001:db8:1:0:5054:ff:feab:d87c/64).

As the on-link flag is set the prefix route 2001:db8:1::/64 will be present in the routing table which will route any packet with as destination 2001:db8:1::/64 to the WAN interface and will be routed back by the upstream router due to the WAN interface having been assigned the global unique prefix. Besides not installing the prefix route 2001:db8:1::/64 on point-to-point links adding an unreachable route is required to avoid the routing loop.
*[IPv6]: Internet Protocol version 6
*[ISP]: Internet Service Provider
*[WAN]: Wide Area Network

REQUIREMENTS
The WAN interface needs to be a point-to-point interface (e.g. PPP) and IPv6 router advertisement messages need to be received which contain at least one global unique IPv6 prefix for which the on-link flag is set.
*[WAN]: Wide Area Network
*[IPv6]: Internet Protocol version 6

MITIGATIONS
You need to update the affected netifd and odhcp6c packages you’re using with the command below.

 opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c

Then verify, that you’re running fixed version.

 opkg list-installed netifd
 opkg list-installed odhcp6c

The above command should output following:

 netifd - 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release
 netifd - 2021-01-09-c00c8335-1 - for master/snapshot
 
 odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release
 odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot

The fix is contained in the following and later versions:

• OpenWrt 19.07: 2021-01-17 (fixed by v19.07.6-4-g250dbb3a60f3 and v19.07.6-5-g9999c87d3a3c)

• OpenWrt master: 2021-01-09 (fixed by reboot-15532-ge857b097678d and reboot-15531-g430154135106)

AFFECTED VERSIONS
To our knowledge, OpenWrt version 19.07.0 to 19.07.6 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.7 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

CREDITS
This issue was identified by Xiang Li from Network and Information Security Lab at Tsinghua University and fixed by Hans Dedecker.

Development snapshot

• netifd e857b097678d660c1121cd7ab8e753bb864970ab

• odhcp6c 430154135106cbea6816a379774fd250a72a7063

OpenWrt 19.07 release

• netifd 9999c87d3a3cf93344be99d314bdd63e2ca782f1

• odhcp6c 250dbb3a60f334adc31587a3f6f75f2168df7cac