Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161)

Petr Štetiar ynezz at true.cz
Mon Feb 8 02:10:51 EST 2021


DESCRIPTION

In case a link prefix route points to a point-to-point link it can trigger a
routing loop if the destination IPv6 address belongs to the prefix and is not
a local IPv6 address. If such a packet is received and not directed to a local
IPv6 address it will be routed back to the point-to-point link due to the link
prefix route; the upstream ISP router will in its turn route the IPv6 packet
back due to the assigned prefix route creating a "ping pong" effect.

The possible routing loop on point-to-point links (e.g PPP) can happen when
router advertisements are received having at least one global unique IPv6
prefix for which the on-link flag is set. The WAN interface is assigned the
global unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is
picked which will be installed on the wan interface (e.g.
2001:db8:1:0:5054:ff:feab:d87c/64).

As the on-link flag is set the prefix route 2001:db8:1::/64 will be present in
the routing table which will route any packet with as destination
2001:db8:1::/64 to the WAN interface and will be routed back by the upstream
router due to the WAN interface having been assigned the global unique prefix.
Besides not installing the prefix route 2001:db8:1::/64 on point-to-point
links adding an unreachable route is required to avoid the routing loop.


REQUIREMENTS

The WAN interface needs to be a point-to-point interface (e.g. PPP) and IPv6
router advertisement messages need to be received which contain at least one
global unique IPv6 prefix for which the on-link flag is set.


MITIGATIONS

You need to update the affected netifd and odhcp6c packages you're using with
the command below.

   opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c

Then verify, that you're running fixed version.

   opkg list-installed netifd
   opkg list-installed odhcp6c

The above command should output following:

   netifd - 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release
   netifd - 2021-01-09-c00c8335-1 - for master/snapshot

   odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release
   odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot

The fix is contained in the following and later versions:

  * OpenWrt master: 2021-01-09 reboot-15532-ge857b097678d
  * OpenWrt 19.07:  2021-01-17 v19.07.6-5-g9999c87d3a3c


AFFECTED VERSIONS

To our knowledge, OpenWrt version 19.07.0 to 19.07.6 are affected.  The fixed
packages will be integrated in the upcoming OpenWrt 19.07.7 release.  Older
versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end
of life and not supported any more.


CREDITS

This issue was identified by Xiang Li from Network and Information Security
Lab at Tsinghua University and fixed by Hans Dedecker.


REFERENCES

 Development snapshot

  * netifd  https://git.openwrt.org/e857b097678d660c1121cd7ab8e753bb864970ab
  * odhcp6c https://git.openwrt.org/430154135106cbea6816a379774fd250a72a7063

 OpenWrt 19.07 release

  * netifd  https://git.openwrt.org/9999c87d3a3cf93344be99d314bdd63e2ca782f1
  * odhcp6c https://git.openwrt.org/250dbb3a60f334adc31587a3f6f75f2168df7cac
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20210208/bae70341/attachment.sig>


More information about the openwrt-devel mailing list