The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in
FreeBSD, NetBSD, and possibly other BSD-based operating systems allows
remote attackers to cause a denial of service (CPU consumption and device
hang) by sending many Router Advertisement (RA) messages with different
source addresses, a similar vulnerability to CVE-2010-4670.
Author | Note |
---|---|
tyhicks | “Old Linux kernels are also affected, detailed version information unknown.” |
apw | “Linux: fixed prior 2010” algorithm appears unchanged all the way back to hardy, with the holding of a single address from RA at any one time, very likely we are unaffected but this needs testing |
jdstrand | linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support |
apw | we have always had an upper limit of addresses for each interface via RA so we cannot crash at least, we only accept these from link-local so we can only be DOSd by someone on the local link, who can kill us by killing the same link. For this CVE we seemed to be fixed by the first git commit so use that as ‘fix’. |