CoreLabs discovered that the OpenBSD kernel contains a memory corruption vulnerability in the code that handles IPv6 packets. Exploitation of this vulnerability can result in a complete system compromise when the remote execution of arbitrary code at the kernel level on the vulnerable systems is performed. Vulnerable systems may also be subject to remote denial of service attacks due to failed attempts to exploit the vulnerability, which can be triggered by sending a specially-crafted IPv6 fragmented packet. OpenBSD systems are vulnerable as the default kernel has IPv6 enabled and does not filter inbound IPv6 packets. The attack vector requires direct access or IPv6 connectivity to the local network.
The following operating system versions are confirmed to be vulnerable:
” OpenBSD 4.1, prior to February 26, 2006
” OpenBSD 4.0
” OpenBSD 3.9
” OpenBSD 3.8
” OpenBSD 3.6
” OpenBSD 3.1
All other versions of OpenBSD that support the IPv6 protocol stack are also believed to be vulnerable.
To address this vulnerability, users of OpenBSD should immediately apply the source code patch and recompile the kernel. Pre-compiled kernel binaries for OpenBSD 4.1, 4.0 and 3.9 are available at OpenBSD’s website.
The patch is available at the the OpenBSD FTP site.
Core Security advises that, as a work-around for users who cannot deploy the OpenBSD patch or those who do not need to process or route IPv6 traffic on their systems, all inbound IPv6 packets can be blocked by using OpenBSD’s firewall.
For more information about this vulnerability and the systems affected, please visit: http://www.coresecurity.com/?action=item&id=1703