| Summary: | CVE-2011-3601, CVE-2011-3602, CVE-2011-3603, CVE-2011-3604, CVE-2011-3605: radvd security issues | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Vigier <boklm> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, qa-bugs, stormi-mageia, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | CVE: | ||
| Status comment: | |||
|
Description
Nicolas Vigier
2011-10-15 11:11:16 CEST
Nicolas Vigier
2011-10-15 11:12:05 CEST
Assignee:
bugsquad =>
misc *sic* yet another round of "let's find 5 cve in a software at a time". I will take care of this, but the patch not all cleanly apply. ( and github is a pain as usual ). Ok so i fixed the bugs. Here is the advisory : Vasiliy Kulikov discovered a number of security vulnerabilities and some other issues in radvd 1.8.1, and fixed some of them. Mageia updated radvd for those flawes, and this update include fixes for : - CVE-2011-3601, privilege escalation due to a buffer overflow in process_ra() - CVE-2011-3602, arbitrary file overwrite - CVE-2011-3603, failure to drop privileges - CVE-2011-3604, buffer overread and crashes - CVE-2011-3605, temporary DOS in process_rs() See http://seclists.org/oss-sec/2011/q4/30 for details, and https://bugs.mageia.org/show_bug.cgi?id=3058 for link to patchs. For testing, I had a complete guide, but bugzilla decided to throw it away, so I will rather let people do their own research on the web and find one of the numerous radvd tutorial. Using rdisc6 and radvd, and 2 linux computers should be enough ( 2 vm would do the trick ).
Michael Scherer
2011-10-15 13:33:52 CEST
Assignee:
misc =>
qa-bugs x86_64
Before
------
So far..
# service radvd start
Starting IPv6 rtr adv daemon: [Oct 16 12:16:00] radvd: IPv6 forwarding seems to be disabled, exiting
[FAILED]
Enabling in MCC seems to have no affect.
# cat /proc/sys/net/ipv6/conf/all/forwarding
0
# echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
# cat /proc/sys/net/ipv6/conf/all/forwarding
1
# service radvd start
Starting IPv6 rtr adv daemon: [ OK ]
on another computer..
# rdisc6
-bash: rdisc6: command not found
# urpmi rdisc6
No package named rdisc6
# urpmi radvd
$MIRRORLIST: media/core/release/radvd-1.7-1.mga1.i586.rpm
installing radvd-1.7-1.mga1.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: radvd #############################################
# rdisc6
-bash: rdisc6: command not found
# urpmq rdisc6
No package named rdisc6
So, where do we find rdisc6??
Hi Claire, rdisc6 is in the package ndisc6. Don't ask me what the different first letters mean :) Thanks Remmy.. # urpmi ndisc6 No package named ndisc6 Still no luck though! Sophie has never heard of it either. Is it not in Mageia 1? Hmm, looks like you are right and it's only in Cauldron: <remmy> :v ndisc6 -d Mageia <Sophie> 1.0.1-1.mga2 // core-release (Mga, cauldron, i586) <Sophie> 1.0.1-1.mga2 // core-release (Mga, cauldron, x86_64) There's a first time for everything :D Misc can you please let us know how to check radvd without rdisc6. Or do you wish to provide rdisc6 for mga1? Thanks. Assignee:
qa-bugs =>
misc
claire robinson
2011-10-16 16:17:56 CEST
CC:
(none) =>
qa-bugs Testing complete on i586 for the srpm radvd-1.7-1.1.mga1.src.rpm I copied rdisc6 from a Mandriva system to a vb guest running mageia 1, with radvd running on the mageia 1 host. CC:
(none) =>
davidwhodgins Well, you can also just use tcpdump , but that will just show the message ( ie, the message about "i am a router, here is the ip address" ).
Another solution is just to plug a linux computer, and see the ip address with ifconfig ( it may take some time ).
For example :
wlan0 Link encap:Ethernet HWaddr 00:1C:B3:BE:CF:35
inet adr:192.168.15.237 Bcast:192.168.15.255 Masque:255.255.255.0
adr inet6: 2002:53fe:cd25:4:24c:bc3f:feeb:c35f/64 Scope:Global
adr inet6: fe80::21c:b3ff:febe:cf35/64 Scope:Lien
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
The first line "adr inet6" is the one that will appear after radvd send the RA ( router announce ). The prefix ( 2002:53fe:cd25:4 ) is the one configured in radvd.
And regarding ndisc6 and rdisc6, that's just 2 tools, the first one to discover other computer ( think like arp, for ethernet/ipv4 ), and the second for ipv6 router ( ie, something that run radvd, or quagga ).
Samuel Verschelde
2011-10-18 17:23:31 CEST
CC:
(none) =>
stormi x86_64
/etc/radvd.conf
prefix 3ffe:0302:0011:0002::0/64
{
AdvOnLink on;
AdvAutonomous on;
};
# ifconfig .. shows
eth0
inet6 addr: 3ffe:302:11:2:200:f0ff:fe79:2599/64 Scope:Global
so it appears to be working.
Update validated.
Advisory
--------------------
Vasiliy Kulikov discovered a number of security vulnerabilities and some
other issues in radvd 1.8.1, and fixed some of them.
Mageia updated radvd for those flaws, and this update include fixes for :
- CVE-2011-3601, privilege escalation due to a buffer overflow in process_ra()
- CVE-2011-3602, arbitrary file overwrite
- CVE-2011-3603, failure to drop privileges
- CVE-2011-3604, buffer over-read and crashes
- CVE-2011-3605, temporary DOS in process_rs()
See http://seclists.org/oss-sec/2011/q4/30 for details,
and https://bugs.mageia.org/show_bug.cgi?id=3058 for link to patches.
-----------------------
Source RPM: radvd-1.7-1.1.mga1.src.rpm
Could sysadmin please push from core/updates_testing to core/updates
Thankyou!Keywords:
(none) =>
validated_update Update pushed. Status:
NEW =>
RESOLVED |