March 15, 2007, 9:42 AM — The security-conscious OpenBSD team has acknowledged that the operating system contains a serious security flaw in the code that handles IPv6 packets.
OpenBSD, descended from the Unix-derived BSD, is known for its strict security policies, and until this week its website boasted "Only one remote hole in the default install, in more than 10 years!" The notice has now been updated to "two."
The bug is due to a memory corruption in the "mbuf" handling of ICMP6 packets, which can cause a kernel panic or execute malicious code with kernel privileges, according to Core Security, which discovered the problem.
Security firm Secunia gave the bug a "highly critical" rating.
A mitigating factor is that attackers must be able to send fragmented ICMPv6 packets to the target local system.
"This requires direct physical/logical access to the target's local network -- in which case the attacking system does not need to have a working IPv6 stack -- or the ability to route or tunnel IPv6 packets to the target from a remote network," Core said.
The bug has been confirmed in versions 3.1 to 4.0, but more versions may be affected, Core said.
OpenBSD developers released a patch fixing the issue, and said administrators can also get around the problem by blocking all IPv6 packets at the firewall.
Core had to go to a certain amount of effort to get OpenBSD developers to acknowledge the seriousness of the flaw, which at first was only proven to shut down a system -- something OpenBSD doesn't consider a security issue.
"OpenBSD no longer uses the term 'vulnerability' when referring to bugs that lead to a remote denial of service attack," Core said in its advisory.
Eventually, Core developed proof-of-concept code demonstrating remote code execution in the kernel context, and the OpenBSD team updated their advisory to refer to the bug as a "vulnerability", Core said.
