News

2015-04-23 - Fedora releases kernel update

Fedora users can now get an kernel update that includes a patch for Bongos.

[ 2 ] Bug #1203712 - CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements. https://bugzilla.redhat.com/show_bug.cgi?id=1203712


2015-04-16 - pfsense 2.2.2 patched

There is now a patch for pfsense

FreeBSD-SA-15:09.ipv6: Denial of Service with IPv6 Router Advertisements. Where a system is using DHCPv6 WAN type, devices on the same broadcast domain as that WAN can send crafted packets causing the system to lose IPv6 Internet connectivity.



2015-03-26 - Embargo ended

So, in closing, from CERT I got the following:

Essentially, RFC 3756 Section 4.4 lists several possible ND and RD attacks that may be possible based on your reading of Section 4.2.7. These attacks are well-known and have been discussed before publicly (hence being in the RFC). Fake ND and RD responses in IPv6 are similar to ARP poisoning in the IPv4 world; rogue nodes can do this. In short, this is a real issue, but an already known one.

Since this isn't news, and the embargo has ended, I'll publish some more content about what's up, why it isn't the end of the internet, and how to play havoc with your local network and make devices unable to route IPv6 packets.


2015-03-16 - CERT VU Number

Follow up from CERT/CC! We now have VU#711516 assigned, and CERT are responsible for coordination with vendors.

On our front, we have tried to perform tests with various other hardware, but failed to get satisfactory results due to infrastructure issues.


2015-03-10 - CERT and CERT-SE

After advice from the security teams at Microsoft, Apple, Android, the RedHat, FreeBSD and Linux Kernel, I've filed a proper report with CERT, and hope that they will help out with organizing this with the various vendors.

This whole experience has been interesting, as it's on a scale that most security people never work with in their career. Personally, I cannot last remember when there was a wide-scale cross-platform network Denial of Service on consumer devices.