Today we have issued a very rare security advisory on two remotely exploitable vulnerabilities in NetBSD - SB2018021210.

One of the most secure operating systems in world has issued today two security patches against remotely exploitable vulnerabilities. Both vulnerabilities reside in code, relevant to IPv6 implementation.

All supported versions of NetBSD are vulnerable to both vulnerabilities. Users, who are still using NetBSD 5.x should immediately disable support for IPv6 protocol and consider upgrading to supported versions of this operating system.

These vulnerabilities are pretty nasty as the IPv6 support is enabled by default in NetBSD and therefore all kernels, compiled on GENERIC kernel config, are vulnerable.

Let’s have a short look at patched vulnerabilities:

1)      Denial of service vulnerability in IPSec implementation

According to vendor’s advisory, the vulnerability allows a remote attacker to cause buffer overflow by overwriting available memory with zeros. An attacker can send specially crafted IPSec IPv6-AH packet with a suboption of length zero and trigger a buffer overflow that would fill with zeros an area that extends beyond the buffer containing the packet.

2)      Remote memory corruption in IPv6 implementation

This vulnerability is particularly interesting. A remote attacker can send a series of specially crafted IPv6 packets to vulnerable system, trigger memory corruption and cause denial of service and potentially execute arbitrary code on the vulnerable system. The problem for this vulnerability resides within “src/sys/netinet6/frag6.c” code, responsible for parsing IPv6 options.

All NetBSD users should immediately install patches from vendor’s repository.