Show pagesourceOld revisionsBacklinksBack to top × Table of Contents Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161) DESCRIPTION REQUIREMENTS MITIGATIONS AFFECTED VERSIONS CREDITS REFERENCES Development snapshot OpenWrt 19.07 release Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161) DESCRIPTION In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 address. If such a packet is received and not directed to a local IPv6 address it will be routed back to the point-to-point link due to the link prefix route; the upstream ISP router will in its turn route the IPv6 packet back due to the assigned prefix route creating a “ping pong” effect. The possible routing loop on point-to-point links (e.g PPP) can happen when router advertisements are received having at least one global unique IPv6 prefix for which the on-link flag is set. The WAN interface is assigned the global unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked which will be installed on the wan interface (e.g. 2001:db8:1:0:5054:ff:feab:d87c/64). As the on-link flag is set the prefix route 2001:db8:1::/64 will be present in the routing table which will route any packet with as destination 2001:db8:1::/64 to the WAN interface and will be routed back by the upstream router due to the WAN interface having been assigned the global unique prefix. Besides not installing the prefix route 2001:db8:1::/64 on point-to-point links adding an unreachable route is required to avoid the routing loop. REQUIREMENTS The WAN interface needs to be a point-to-point interface (e.g. PPP) and IPv6 router advertisement messages need to be received which contain at least one global unique IPv6 prefix for which the on-link flag is set. MITIGATIONS You need to update the affected netifd and odhcp6c packages you're using with the command below. opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c Then verify, that you're running fixed version. opkg list-installed netifd opkg list-installed odhcp6c The above command should output following: netifd - 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release netifd - 2021-01-09-c00c8335-1 - for master/snapshot odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot The fix is contained in the following and later versions: OpenWrt 19.07: 2021-01-17 (fixed by v19.07.6-4-g250dbb3a60f3 and v19.07.6-5-g9999c87d3a3c) OpenWrt master: 2021-01-09 (fixed by reboot-15532-ge857b097678d and reboot-15531-g430154135106) AFFECTED VERSIONS To our knowledge, OpenWrt version 19.07.0 to 19.07.6 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.7 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more. CREDITS This issue was identified by Xiang Li from Network and Information Security Lab at Tsinghua University and fixed by Hans Dedecker. REFERENCES Development snapshot netifd e857b097678d660c1121cd7ab8e753bb864970ab odhcp6c 430154135106cbea6816a379774fd250a72a7063 OpenWrt 19.07 release netifd 9999c87d3a3cf93344be99d314bdd63e2ca782f1 odhcp6c 250dbb3a60f334adc31587a3f6f75f2168df7cac This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2021/02/08 02:00by ynezz