July 26, 2014

Microsoft Haven’t Fixed Year Old IPv6 DoS Vulnerability in Windows

CVE-2010-4669 describes a vulnerability in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Microsoft Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Using a simple tool like flood_router6 from the thc-ipv6 package a remote attacker can cause a denial of service (CPU consumption and system hang) by sending multiple Router Advertisement (RA) messages with different source addresses.

The problem is that updating the routing tables and configuring IPv6 addresses requires lots of CPU resources (ie. 100%). If a network is flooded with random router announcements, Windows (and other operating systems like FreeBSD) struggle to update their routing tables. The denial of service remains in affect until the flooding is terminated.

With the inevitable move over to IPv6 this issue which has been known for nearly a year is becoming more and more critical. The problem seems to be that Microsoft and other IPv6 vendors aren’t offering much in the way of solutions.

Juniper Networks, the high performance switch manufacturer, have gone on record to say that they are not fixing this issue until the IETF workgroup has a proposal on a standard way to fix it. We assume Microsoft are following the same thinking.

More information on the vulnerability is available here and here. Below is a video showing the attack in progress:

Note: The Live Hacking Ethical Hacking and Penetration DVD contains the flood_router6 tool.