Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1203712 (CVE-2015-2922)

Summary: CVE-2015-2922 kernel: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements.
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aquini, bhu, carnil, ccoleman, dhoward, dmcphers, fhrbata, iboverma, jialiu, joelsmith, jokerman, jross, kernel-mgr, lmeyer, matt, mcressma, mmccomas, nmurray, plougher, ppandit, rvrbovsk, security-response-team, spider, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the Linux kernel's TCP/IP protocol suite implementation for IPv6 allowed the Hop Limit value to be set to a smaller value than the default one. An attacker on a local network could use this flaw to prevent systems on that network from sending or receiving network packets.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:40:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1208496, 1208491, 1208492, 1208493, 1208494, 1208498, 1209410, 1209411, 1210172, 1210173    
Bug Blocks:    
Attachments:
Description Flags
linux-3.18-ipv6-hop_limit.patch none

Description Vasyl Kaigorodov 2015-03-19 14:03:03 UTC 
Linux kernel built with the IPv6 networking support(CONFIG_IPV6) is vulnerable to setting its 'hop_limit' too low, via the neighbour discovery protocol. It could result in thwarting the IPv6 functionality.

An unprivileged user on a local network could use this flaw to cause DoS to a remote system.

Upstream fix:
-------------
  -> https://git.kernel.org/linus/6fd99094de2b83d1d4c8457f2c83483b2828e75a

Reference:
----------
  -> http://www.openwall.com/lists/oss-security/2015/04/04/2
Comment 1 Vasyl Kaigorodov 2015-03-19 14:17:22 UTC 
Created attachment 1003851 [details]
linux-3.18-ipv6-hop_limit.patch
Comment 2 Vasyl Kaigorodov 2015-03-19 14:19:15 UTC 
In the attachment there is a patch for the Linux kernel that fixes this issue.

Other suggested mitigations:
* Disallowing Router Advertisements on a Switch level (RA filtering)
* Dropping Router Advertisements that do not contain a network/route
* Dropping Router Advertisements with short hop limits (hop limit < 40 or similar)

Other interesting combinations is to send "route removal" packet (timeout = 0 )  in combination.
Reported found that it isn't necessary, but most code paths will then delete the route if it finds it, even if it's not getting the "drop route" message from the host that advertised the route.
Comment 3 Prasad Pandit 2015-04-02 11:36:44 UTC 
Statement:

This issue affects the versions of the Linux kernel as shipped with
Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2. Future kernel
updates for Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2 may
address this issue.

Red Hat Enterprise Linux 5 is now in Production 3 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 5 Prasad Pandit 2015-04-02 11:46:12 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1208491]
Comment 11 Fedora Update System 2015-04-22 22:46:53 UTC 
kernel-3.19.4-100.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2015-04-22 22:54:25 UTC 
kernel-3.19.4-200.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2015-04-23 16:07:15 UTC 
kernel-4.0.0-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-07-14 15:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1221 https://rhn.redhat.com/errata/RHSA-2015-1221.html
Comment 15 errata-xmlrpc 2015-08-05 18:49:27 UTC 
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2015:1564 https://rhn.redhat.com/errata/RHSA-2015-1564.html
Comment 16 errata-xmlrpc 2015-08-05 20:13:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1565 https://access.redhat.com/errata/RHSA-2015:1565
Comment 17 errata-xmlrpc 2015-08-06 02:42:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1534 https://rhn.redhat.com/errata/RHSA-2015-1534.html