CERT/CC Vulnerability Note VU#472363

Overview

A vulnerability in some implementations of the IPv6 Neighbor Discovery Protocol may allow a nearby attacker to intercept traffic or cause congested links to become overloaded.

Description

IPv6 networks use the Neighbor Discovery Protocol (NDP) to detect and locate routers and other on-link IPv6 nodes. NDP uses ICMPv6 types 133, 134, 135, and 136. Neighbor solicitation (type 135) messages are used by NDP to discover and determine the reachability of nearby IPv6 nodes. Nodes that can send each other NDP messages are considered to be on-link (as per RFC 4861).

After receiving a neighbor solicitation request from a system that is on-link and is using a spoofed IPv6 address as the source address, a router will create a neighbor cache entry. When this entry is made, some IPv6 implementations will create a Forwarding Information Base (FIB) entry. This FIB entry may cause the router to incorrectly forward traffic to the device that sent original spoofed neighbor solicitation request.

Note that an attacker must have IPv6 connectivity to the same router as their target for this vulnerability to be exploited. Although this vulnerability has only a local attack vector (NDP messages are not forwarded by routers), flat IPv6 networks can include many hosts and may cover large geographical distances as compared to IPv4 networks.

Similar problems to this issue have been discussed in RFC 3756 "IPv6 Neighbor Discovery (ND) Trust Models and Threats."

Impact

An attacker may be able to intercept private network traffic. Receiving the traffic may cause links to become congested or saturated due to the additional bandwidth. Administrators are encouraged to read RFC 3756 for more information about other possible vulnerabilities and impacts.

Solution

Consider the workarounds below and consult your vendor.

Block packets with illogical source addresses

Blocking traffic that originates from unlikely or illogical source addresses (such as addresses which are not on-link or logically part of a network assigned to an interface, such as the antispoof keyword in pf) will protect against this vulnerability. This workaround may cause unintended side-effects such as breaking some non-typical configurations. Vendors may also implement this workaround as a fix.

Use application layer encryption

Applications that use secure authentication and encryption such as https, ssh, and ipsec can mitigate this vulnerability by preventing an attacker from intercepting or parsing any data that received. Note that an attacker will probably still be able to blackhole IP addresses resulting in a local denial of service regardless of the authentication or encryption methods used. As noted in RFC 3971, it is non-trivial to use ipsec to protect the integrity of NDP messages.

Design and deploy segmented networks

In a single IPv6 prefix there are certain trust asumptions and if the same IP range is shared all clients will be considered on-link. Segmenting networks will reduce the likelihood of this and similar vulnerabilities from being exploited. Networks can be segmented by assigning unique prefixes to individual router interfaces or by using VLANs.

Vendor Information

472363

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Computer, Inc. Affected

Notified: July 30, 2008 Updated: March 12, 2009

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://support.apple.com/kb/HT3467 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks Affected

Notified: July 30, 2008 Updated: April 27, 2009

Statement Date: April 24, 2009

Status

Affected

Vendor Statement

IPv6 enabled Extreme Networks products running EXOS software are affected by this vulnerability.

This issue is being tracked by PD4-693410691 for Extreme Networks products running EXOS software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Force10 Networks, Inc. Affected

Notified: July 30, 2008 Updated: September 30, 2008

Statement Date: July 31, 2008

Status

Affected

Vendor Statement

Vendor Information

IPv6 enabled Force10 routers running FTOS, are affected by this vulnerability. The issue has been identified and fixed in our release E7.7.1.1 and all future releases. For a detail of description, impact, workaround and available fix, please visit our website at https://www.force10networks.com/csportal20/KnowledgeBase/FieldAlerts.aspx to view the complete text of the Field Alert.

FreeBSD, Inc. Affected

Notified: July 30, 2008 Updated: October 02, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The FreeBSD Security Team has released the FreeBSD Security Advisory FreeBSD-SA-08:10.nd6 response to this issue.

Addendum

See http://security.freebsd.org/patches/SA-08:10/nd6-7.patch for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation (zseries) Affected

Notified: July 30, 2008 Updated: August 05, 2008

Statement Date: July 30, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Affected

Notified: July 30, 2008 Updated: October 02, 2008

Statement Date: October 02, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Juniper has posted a Security Bulletin about this issue addressing the security issues identified by VU#472363.

More information is available to registered customers at https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-09-036&viewMode=view

NetBSD Affected

Notified: July 30, 2008 Updated: October 29, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

See ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-013.txt.asc/ for more information.

OpenBSD Affected

Notified: July 30, 2008 Updated: October 03, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See http://openbsd.org/errata43.html#006_ndp for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems, Inc. Affected

Notified: July 30, 2008 Updated: November 03, 2008

Statement Date: October 31, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Wind River has analyzed VU#472363, and determined that VxWorks versions 6.5 and higher are not affected. However, VxWorks versions 5.x through 6.4 are affected. Register users can access Wind River's online support for patches, and more in formation by following this link:

https://portal.windriver.com/cgi-bin/windsurf/downloads/view_binary.cgi?binaryid=118544

Or contact Wind River technical support for more information:
http://windriver.com/support/

3com, Inc. Not Affected

Notified: July 30, 2008 Updated: September 29, 2008

Statement Date: September 26, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc. Not Affected

Notified: July 30, 2008 Updated: November 07, 2008

Status

Not Affected

Vendor Statement

This is to confirm that no Cisco products are affected by the vulnerability described in Vulnerability Note VU#472363 titled: "IPv6 implementations insecurely update Forward Information Base".

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Computer Associates Not Affected

Notified: July 30, 2008 Updated: October 02, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Computer Associates eTrust Security Management Not Affected

Notified: July 30, 2008 Updated: October 02, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

D-Link Systems, Inc. Not Affected

Notified: July 30, 2008 Updated: September 29, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Debian GNU/Linux Not Affected

Notified: July 30, 2008 Updated: October 02, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Enterasys Networks Not Affected

Notified: July 30, 2008 Updated: September 26, 2008

Statement Date: September 25, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Enterasys has researched CERT VU#472363 and concluded that none of the current Enterasys products are vulnerable. To ensure the highest level of security and as an extra precaution, Enterasys recommends being proactive by following network security and product configuration best practices.

F5 Networks, Inc. Not Affected

Notified: July 30, 2008 Updated: September 18, 2008

Statement Date: September 18, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc. Not Affected

Notified: July 30, 2008 Updated: October 02, 2008

Statement Date: October 01, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

McAfee Not Affected

Notified: July 30, 2008 Updated: September 18, 2008

Statement Date: September 18, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified: July 30, 2008 Updated: October 01, 2008

Status

Not Affected

Vendor Statement

After investigating this report, we determined this issue does not directly affect any Microsoft products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Not Affected

Notified: July 30, 2008 Updated: August 13, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Openwall GNU/*/Linux does not officially support IPv6. We do not have IPv6 support enabled in our kernels by default (nor can the corresponding kernel module possibly get auto-loaded, which would be a concern on some other Linux systems - we also do not support module auto-loading). While it is probably possible to configure an Openwall GNU/*/Linux system with a custom kernel build such that it would be vulnerable, anyone doing so is acting on his/her own.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PePLink Not Affected

Notified: July 30, 2008 Updated: September 19, 2008

Statement Date: September 19, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Q1 Labs Not Affected

Notified: July 30, 2008 Updated: August 04, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga Not Affected

Notified: July 30, 2008 Updated: July 31, 2008

Statement Date: July 30, 2008

Status

Not Affected

Vendor Statement

Quagga is not impacted.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RadWare, Inc. Not Affected

Notified: July 30, 2008 Updated: July 31, 2008

Statement Date: July 31, 2008

Status

Not Affected

Vendor Statement

We are not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Not Affected

Notified: July 30, 2008 Updated: July 31, 2008

Statement Date: July 31, 2008

Status

Not Affected

Vendor Statement

We would like to inform you that Red Hat Enterprise Linux is not affected by this vulnerability as we never had any code that added routes in response to ndisc solicitations.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc. Not Affected

Notified: July 30, 2008 Updated: September 29, 2008

Statement Date: September 26, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Not Affected

Notified: July 30, 2008 Updated: October 07, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

To the best of our knowledge Linux and therefore SUSE Linux based products are not affected by this problem.

SmoothWall Not Affected

Notified: July 30, 2008 Updated: September 19, 2008

Statement Date: September 19, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sun Microsystems, Inc. Not Affected

Notified: July 30, 2008 Updated: July 31, 2008

Statement Date: July 30, 2008

Status

Not Affected

Vendor Statement

Solaris IPv6 implementation is not vulnerable to this issue.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TippingPoint, Technologies, Inc. Not Affected

Notified: July 30, 2008 Updated: September 29, 2008

Statement Date: September 26, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

m0n0wall Not Affected

Notified: July 30, 2008 Updated: August 05, 2008

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

AT&T Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Alcatel-Lucent Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Barracuda Networks Unknown

Notified: September 18, 2008 Updated: September 18, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Borderware Technologies Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Bro Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CIAC Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Charlotte's Web Networks Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Check Point Software Technologies Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Clavister Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cray Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Data Connection, Ltd. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google Unknown

Notified: August 22, 2008 Updated: August 22, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Guidance Software, Inc. Unknown

Notified: August 22, 2008 Updated: August 22, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hyperchip Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Filter Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Infusion, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation Unknown

Notified: September 18, 2008 Updated: September 18, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Security Systems, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intoto Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linux Kernel Archives Unknown

Notified: August 22, 2008 Updated: August 22, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Luminous Networks Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Miredo Unknown

Notified: August 04, 2008 Updated: August 04, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetApp Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NextHop Technologies, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Novell, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Process Software Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure Computing Network Security Division Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secureworx, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Snort Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Soapstone Networks Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sony Corporation Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Sourcefire Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Stonesoft Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

U4EA Technologies, Inc. Unknown

Notified: September 18, 2008 Updated: September 18, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vyatta Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL Unknown

Notified: July 30, 2008 Updated: October 02, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

eSoft, Inc. Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netfilter Unknown

Notified: July 30, 2008 Updated: July 30, 2008

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 103 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	0	AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal	0	E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND)
Environmental	0	CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)

References

Acknowledgements

Thanks to David Miles for reporting this vulnerability. Numerous vendors and others also provided technical information that was used in this report.

This document was written by Ryan Giobbi, Evan Wright, Chad Dougherty, and Art Manion.

Other Information

CVE IDs:	CVE-2008-4404, CVE-2008-2476
Severity Metric:	2.70
Date Public:	2008-10-02
Date First Published:	2008-10-02
Date Last Updated:	2009-04-27 12:04 UTC
Document Revision:	99

Software Engineering Institute

CERT Coordination Center

IPv6 implementations insecurely update Forwarding Information Base

Vulnerability Note VU#472363

Overview

Description

Impact

Solution

Vendor Information

Apple Computer, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Extreme Networks Affected

Status

Vendor Statement

Vendor Information

Force10 Networks, Inc. Affected

Status

Vendor Statement

Vendor Information

FreeBSD, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

IBM Corporation (zseries) Affected

Status

Vendor Statement

Vendor Information

Juniper Networks, Inc. Affected

Status

Vendor Statement

Vendor Information

NetBSD Affected

Status

Vendor Statement

Vendor Information

OpenBSD Affected

Status

Vendor Statement

Vendor Information

Addendum

Wind River Systems, Inc. Affected

Status

Vendor Statement

Vendor Information

3com, Inc. Not Affected

Status

Vendor Statement

Vendor Information

Cisco Systems, Inc. Not Affected

Status

Vendor Statement

Vendor Information

Computer Associates Not Affected

Status

Vendor Statement

Vendor Information

Computer Associates eTrust Security Management Not Affected

Status

Vendor Statement

Vendor Information

D-Link Systems, Inc. Not Affected

Status

Vendor Statement

Vendor Information

Debian GNU/Linux Not Affected

Status

Vendor Statement

Vendor Information

Enterasys Networks Not Affected

Status

Vendor Statement

Vendor Information

F5 Networks, Inc. Not Affected

Status

Vendor Statement

Vendor Information