Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OpenBSD IPv6 remote vulnerability

Published: 2007-03-14
Last Updated: 2007-03-14 08:58:09 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
OpenBSD 3.9 and 4.0 have fixed an issue to correct a problem in the IPv6 stack.

Source code patches are available at:
For  workarounds, and if you do not need IPv6, you can use the following (it will block all IPv6):

# vi /etc/pf.conf
Add a line:
block drop in inet6 all
# pfctl -f /etc/pf.conf
To load the new rules in the pf packet filter
# pfctl -s rules
Check the rule got loaded in the runtime rules.
The workaround does disable all incoming IPv6 packets on the machine.

The patch itself is a kernel patch, so you will need to recompile a kernel, install it and reboot the affected machines.

Update (Arrigo): the 3.9 patch applies cleanly to the 3.8, 3.7 and even 3.0 trees.  No excuse not to patch older systems!
--
Swa Frantzen -- NET2S
Keywords:
0 comment(s)
Diary Archives