Vigil@nce - Linux kernel: disabling of RFC 4941
November 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send several ICMPv6 prefix advertisement packets,
in order to make the process of temporary address creation fail,
which leads to disclosure of the host MAC address.
Impacted products: Linux
Severity: 1/4
Creation date: 15/11/2012
DESCRIPTION OF THE VULNERABILITY
Historically, IPv6 address auto-configuration is based on the host
MAC address, so an attacker can trace the history of the host
communications. The RFC 4941 defines a temporary address
allocation feature, which prevents this tracking.
These addresses are computed from the network address prefixes
announced by neighbor routers. However, when the number of
prefixes is larger than the kernel parameter ipv6.max_addresses
(default value: 16), an error happens in the routine
ipv6_create_tempaddr(), this error disables the RFC functionality.
An attacker can therefore send several ICMPv6 prefix advertisement
packets, in order to make the process of temporary address
creation fail, which leads to disclosure of the host MAC address.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-disabling-of-RFC-4941-12164