Leaked DNS Query Detection - ISATAP Request (IPv6)

low Nessus Network Monitor Plugin ID 7203
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

An internal IPv6 routing query has leaked to the public realm via DNS.

Description

ISATAP, or Intra-Site Automatic Tunnel Addressing Protocol is an IPv6 transition mechanism meant to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network. Traffic observed from this host indicates it has queried the network for an available ISATAP host to supply the PRL, or potential routers list. Through an error in DNS configuration, the remote host has sent an ISATAP request to the public realm, potentially allowing for a man-in-the-middle (MiTM) attack to take place. A determined attacker who is able to register a gTLD with the same domain name could theoretically serve a malicious PRL in response. This may result in IPv6 traffic from the affected host being redirected through an attacker-controlled gateway, unbeknownst to the user.

Solution

Ensure that any '6in4' or ISATAP traffic cannot pass through the firewall to reach external resources.

See Also

https://technet.microsoft.com/library/security/ms10-029

https://support.microsoft.com/en-us/kb/978338

http://resources.infosecinstitute.com/security-vulnerabilities-ipv6-tunnels

Plugin Details

Severity: Low

ID: 7203

Version: 1.0

Family: Data Leakage

Published: 5/26/2016

Updated: 8/16/2018