CVE-2016-10142

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946]. That is, employing fragmentation where not actually needed allows for fragmentation-based attack vectors to be employed, unnecessarily. We note that, unfortunately, even nodes that already implement [RFC6946] can be subject to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us assume that Host A is communicating with Host B and that, as a result of the widespread dropping of IPv6 packets that contain extension headers (including fragmentation) [RFC7872], some intermediate node filters fragments between Host B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario. Another possible scenario is that in which two BGP peers are employing IPv6 transport and they implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but still honor received ICMPv6 PTB error messages, an attacker could easily attack the corresponding peering session by simply sending an ICMPv6 PTB message with a reported MTU smaller than 1280 bytes. Once the attack packet has been sent, the aforementioned routers will themselves be the ones dropping their own traffic.

References

http://rhn.redhat.com/errata/RHSA-2017-0817.html

http://www.securityfocus.com/bid/95797

http://www.securitytracker.com/id/1038256

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA43730

https://support.f5.com/csp/article/K57211290?utm_source=f5support&utm_medium=RSS

https://tools.ietf.org/html/draft-ietf-6man-deprecate-atomfrag-generation-08

https://tools.ietf.org/html/rfc8021

Details

Source: MITRE

Published: 2017-01-14

Updated: 2018-05-11

Type: CWE-17

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Impact Score: 4

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ietf:ipv6:-:*:*:*:*:*:*:*

Tenable Plugins

View all (18 total)

IDNameProductFamilySeverity
127425NewStart CGSL MAIN 4.05 : kernel Multiple Vulnerabilities (NS-SA-2019-0152)NessusNewStart CGSL Local Security Checks
high
109920Pulse Policy Secure Multiple Vulnerabilities (SA43730)NessusMisc.
medium
109919Pulse Connect Secure Multiple Vulnerabilities (SA43730)NessusMisc.
medium
101493F5 Networks BIG-IP : IPv6 fragmentation vulnerability (K57211290)NessusF5 Networks Local Security Checks
high
101266Juniper Junos ICMPv6 PTB Atomic Fragment DoS (JSA10780)NessusJunos Local Security Checks
high
100238OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0106)NessusOracleVM Local Security Checks
critical
100237OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0105)NessusOracleVM Local Security Checks
critical
100235Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3567)NessusOracle Linux Local Security Checks
critical
100234Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3566)NessusOracle Linux Local Security Checks
critical
99218Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20170321)NessusScientific Linux Local Security Checks
high
99164OracleVM 3.2 : Unbreakable / etc (OVMSA-2017-0058)NessusOracleVM Local Security Checks
high
99163OracleVM 3.3 : Unbreakable / etc (OVMSA-2017-0057) (Dirty COW)NessusOracleVM Local Security Checks
critical
99161Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2017-3535)NessusOracle Linux Local Security Checks
high
99160Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3534)NessusOracle Linux Local Security Checks
high
99106Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2017-025)NessusVirtuozzo Local Security Checks
critical
99074Oracle Linux 6 : kernel (ELSA-2017-0817)NessusOracle Linux Local Security Checks
high
97962CentOS 6 : kernel (CESA-2017:0817)NessusCentOS Local Security Checks
high
97886RHEL 6 : kernel (RHSA-2017:0817)NessusRed Hat Local Security Checks
high