some security details

The article was prepared by Alexander Kolesnikov as part of the recruitment for a new course stream “Network engineer”.


IPv6 is the protocol that is used for addressing in modern networks. In the article, we will consider several scenarios for using its functions that lead to the exploitation of vulnerabilities.

IPv6

The protocol has a rather complex structure and flexible capabilities. Its full description can be found in the corresponding RFC 8200. Among the features that we will be interested in:

  • address types: unicast (Unicast), group (Anycast) and multicast (Multicast).

  • protocol integrated into operating systems

  • uses special packets (jumbograms) that can transfer 4 GB

Jambogram Processing

The coolest feature that allows you to transfer huge data packets, but due to the large number of additions to the packet structure, it can be a very problematic object for parsing using applications. In confirmation, the following vulnerabilities can be found:

  • CVE-2021-24086

  • CVE-2020-16898

  • CVE-2021-31379

  • CVE-2021-1387

And this is not a complete list, since the most popular software and hardware solutions were taken. What can these vulnerabilities lead to? In all the examples above, this is DDoS. Operating systems go into exceptional states – bsod, kernel panic, and devices restart or partially fail.

What are the main problems? Almost always, vulnerabilities lie in the fact that software algorithms for processing network traffic do not expect the use of fragmentation mechanisms and the transfer of large amounts of data.

A small example from the list above is CVE-2021-24086. According to here this repository, the problem lies in the processing of jambograms.

If you refer to RFC 8200, you can find a description of the special fields of the IPv6 protocol − Extension Headers:

From the picture you can see that all the headings go one after another in the form of a tape. Each heading can describe which heading will be next. And it seems that these are all the features that are in the protocol, but if you read further, you will find that there are special data that can be added along with Extension Headers. It’s about Padding to be shared. Referring to the same repository with a description of the vulnerability, you can find the script that is used to confirm the existence of the vulnerability:

...
 reassembled_pkt = IPv6ExtHdrDestOpt(options = [
            PadN(optdata=('a'*0xff)),
            PadN(optdata=('b'*0xff)),
            PadN(optdata=('c'*0xff)),
            PadN(optdata=('d'*0xff)),
            PadN(optdata=('e'*0xff)),
            PadN(optdata=('f'*0xff)),
            PadN(optdata=('0'*0xff)),
        ]) 
        / IPv6ExtHdrDestOpt(options = [
            PadN(optdata=('a'*0xff)),
            PadN(optdata=('b'*0xff)),
            PadN(optdata=('c'*0xff)),
            PadN(optdata=('d'*0xff)),
            PadN(optdata=('e'*0xff)),
            PadN(optdata=('f'*0xff)),
            PadN(optdata=('0'*0xff)),
        ]) 
        / IPv6ExtHdrDestOpt(options = [
            PadN(optdata=('a'*0xff)),
            PadN(optdata=('b'*0xff)),
            PadN(optdata=('c'*0xff)),
            PadN(optdata=('d'*0xff)),
            PadN(optdata=('e'*0xff)),
            PadN(optdata=('f'*0xff)),
            PadN(optdata=('0'*0xff)),
...

The package fragment above contains data that is interspersed with Ext Headers and data for alignment. This kind of structure is unlikely to be used for data manipulation, but it is still possible according to the rules of the protocol.

IPv6 scanning

An interesting feature of the protocol is the ability to use special addresses to search for machines and devices on the network. Thanks to the multicast feature, you can search for any information about the topology and roles of network nodes. List that can be used:

address

Description

ff02::1

All nodes on the local network segment

ff02::2

All routers on the local network segment

ff02::5

OSPFv3 All SPF routers

ff02::6

OSPFv3 All DR routers

ff02::8

IS-IS for IPv6 routers

ff02::9

RIP routers

ff02::a

EIGRP routers

ff02::d

PIM routers

ff02::16

MLDv2 reports

ff02::1:2

All DHCP servers and relay agents on the local network segment

ff02::1:3

All LLMNR hosts on the local network segment

ff05::1:3

All DHCP servers on the local network site

ff0x::c

Simple Service Discovery Protocol

ff0x::fb

Multicast DNS

ff0x::101

Network Time Protocol

ff0x::108

Network Information Service

ff0x::181

Precision Time Protocol (PTP) version 2 messages except peer delay measurement

ff02::6b

Precision Time Protocol (PTP) version 2 peer delay measurement messages

ff0x::114

Experimental

mitm6

In any operating system, there are 2 types of interfaces with IPv4 and IPv6, if the setting is not set separately, then the prioritization is set in such a way that IPv6 will be used first.

The most popular default configuration compromise tool is mitm6. The tool, using the functions of the IPv6 protocol, changes data related to the configuration of DNS servers in operating systems. Therefore, mitm6 can be used to create conditions for Man in The Middle attacks in networks with IPv6.

Conclusion

As you can see from the examples, the use of the protocol requires special attention when configuring device interfaces and operating systems. Therefore, a network engineer should set up continuous monitoring of data regarding vulnerabilities that are found in the network stacks of devices and operating systems in order to ensure the necessary level of network security against newly emerging threats. This can be done through similar services, for example this.


We invite everyone to the Demo day of the “Network engineer” course. At this meeting there will be an opportunity to get acquainted with the teacher, learn more about the program and the format of training, ask all your questions. Registration for the event here.

Similar Posts

Leave a Reply