Security Advisory 2021-02-02-1 - netifd and odhcp6c routing loop on IPv6 point to point links (CVE-2021-22161)

In case a link prefix route points to a point-to-point link it can trigger a routing loop if the destination IPv6 address belongs to the prefix and is not a local IPv6 address. If such a packet is received and not directed to a local IPv6 address it will be routed back to the point-to-point link due to the link prefix route; the upstream ISP router will in its turn route the IPv6 packet back due to the assigned prefix route creating a “ping pong” effect.

The possible routing loop on point-to-point links (e.g PPP) can happen when router advertisements are received having at least one global unique IPv6 prefix for which the on-link flag is set. The WAN interface is assigned the global unique prefix (e.g. 2001:db8:1:0::/64) from which an IPv6 address is picked which will be installed on the wan interface (e.g. 2001:db8:1:0:5054:ff:feab:d87c/64).

As the on-link flag is set the prefix route 2001:db8:1::/64 will be present in the routing table which will route any packet with as destination 2001:db8:1::/64 to the WAN interface and will be routed back by the upstream router due to the WAN interface having been assigned the global unique prefix. Besides not installing the prefix route 2001:db8:1::/64 on point-to-point links adding an unreachable route is required to avoid the routing loop.

The WAN interface needs to be a point-to-point interface (e.g. PPP) and IPv6 router advertisement messages need to be received which contain at least one global unique IPv6 prefix for which the on-link flag is set.

You need to update the affected netifd and odhcp6c packages you're using with the command below.

 opkg update; opkg upgrade netifd; sleep 5; opkg upgrade odhcp6c

Then verify, that you're running fixed version.

 opkg list-installed netifd
 opkg list-installed odhcp6c

The above command should output following:

 netifd - 2021-01-09-753c351b-1 - for stable OpenWrt 19.07 release
 netifd - 2021-01-09-c00c8335-1 - for master/snapshot
 
 odhcp6c - 2021-01-09-64e1b4e7-16 - for stable OpenWrt 19.07 release
 odhcp6c - 2021-01-09-53f07e90-16 - for master/snapshot

The fix is contained in the following and later versions:

To our knowledge, OpenWrt version 19.07.0 to 19.07.6 are affected. The fixed packages will be integrated in the upcoming OpenWrt 19.07.7 release. Older versions of OpenWrt (e.g. OpenWrt 18.06, OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.

This issue was identified by Xiang Li from Network and Information Security Lab at Tsinghua University and fixed by Hans Dedecker.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/02/08 07:00
  • by ynezz