Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161)
DESCRIPTION
In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 address. If such a packet is received and not directed to a local IPv6 address it will be routed back to the point-to-point link due to the link prefix route; the upstream ISP router will in its turn route the IPv6 packet back due to the assigned prefix route creating a “ping pong” effect.
The possible routing loop on point-to-point links (e.g PPP) can happen when router advertisements are received having at least one global unique IPv6 prefix for which the on-link flag is set. The WAN interface is assigned the global unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked which will be installed on the wan interface (e.g. 2001:db8:1:0:5054:ff:feab:d87c/64).
As the on-link flag is set the prefix route 2001:db8:1::/64 will be present in the routing table which will route any packet with as destination 2001:db8:1::/64 to the WAN interface and will be routed back by the upstream router due to the WAN interface having been assigned the global unique prefix. Besides not installing the prefix route 2001:db8:1::/64 on point-to-point links adding an unreachable route is required to avoid the routing loop.
REQUIREMENTS
The WAN interface needs to be a point-to-point interface (e.g. PPP) and IPv6 router advertisement messages need to be received which contain at least one global unique IPv6 prefix for which the on-link flag is set.
MITIGATIONS
You need to update the affected netifd and odhcp6c packages you're using with the command below.
opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c
Then verify, that you're running fixed version.
opkg list-installed netifd opkg list-installed odhcp6c
The above command should output following:
netifd - 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release netifd - 2021-01-09-c00c8335-1 - for master/snapshot odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot
The fix is contained in the following and later versions:
- OpenWrt 19.07: 2021-01-17 (fixed by v19.07.6-4-g250dbb3a60f3 and v19.07.6-5-g9999c87d3a3c)
- OpenWrt master: 2021-01-09 (fixed by reboot-15532-ge857b097678d and reboot-15531-g430154135106)
AFFECTED VERSIONS
To our knowledge, OpenWrt version 19.07.0 to 19.07.6 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.7 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.
CREDITS
This issue was identified by Xiang Li from Network and Information Security Lab at Tsinghua University and fixed by Hans Dedecker.