IPv6 Focus Month: Kaspersky Firewall IPv6 Vulnerability

Published: 2013-03-13
Last Updated: 2013-03-13 23:52:34 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Kasperksy today released an update to its personal firewall product for Windows. The patched vulnerability fits very nicely into our current focus on IPv6. 

A packet with a large "Destination Header" caused the firewall to crash and drop all traffic. 

IPv6 uses a very minimal IP header. Instead of providing space for options or fragmentation fields, many of these features are now fulfilled by extension headers. As a rule of thumb, most of your packets passing a firewall will not use extension headers. But extension headers do pose a challenge to firewalls.

In IPv4, following the IPv4 header is typically a transport protocol header like TCP or UDP. A firewall needs to collect information from IP as well as transport protocol header in order to make its filtering decission. For IPv4, the maximum IPv4 header size is 60 bytes and another 60 bytes can be used for the TCP header. 

In IPv6, one or more extension headers may be inserted between IPv6 and transport header. Some of these extension headers can be up to 2kBytes in length. As a result, firewalls need to inspect more data in order to make a filter decision about the packet. 

The vulnerability in Kasperky's product was found using the THC IPv6 test suite. It includes a tool "firewall6" that can be used to create various odd and malformed IPv6 packet to test firewalls. Several of the options (for example test 18 and 19) produce packets will destination headers exceeding 2,000 bytes. These tests crashed Kaspersky's firewall.

An exerpt from a packet created by test 19 is shown below:

 

Internet Protocol Version 6, Src: fe80::20c:29ff:fe27:cb5a (fe80::20c:29ff:fe27:cb5a), Dst: ff02::1 (ff02::1)
    0110 .... = Version: 6
    Next header: IPv6 fragment (44)
    Hop limit: 255
    Destination: ff02::1 (ff02::1)
    Fragmentation Header
    Destination Option
        Next header: IPv6 destination option (60)
        Length: 254 (2040 bytes)
        IPv6 Option (Pad1)
    ....
 
The "Next Header" field in the IPv6 header is a fragmentation header. The packet was too larger for the local MTU of 1,500 bytes. The fragmentation header is then followed by a fragemented, large, destination header. The destination header only contains "PAD" options used to fill the 2,040 bytes.
 
This particular test also sets the next header field of the destiation header to "destination header" promissing two destination headers following each other, but this appears to be not the trigger (other tests that crash Kaspersky do not have this feature, but the long DH is common to all of them).
 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)

Comments

I'm slowing going from "F IPv6" to "IPv6 isn't so bad" with each diary. Keep them coming.

Diary Archives