Opened 6 years ago

Closed 6 years ago

#10196 closed defect (fixed)

radvd security issues

Reported by: Cybjit <cybjit@…> Owned by: developers
Priority: normal Milestone: Backfire 10.03.1
Component: packages Version: Backfire 10.03.1 RC5
Keywords: Cc:


radvd 1.8.2 fixes some security flaws:

1) A privilege escalation flaw was found in radvd, due to a buffer overflow
in the process_ra() function. ND_OPT_DNSSL_INFORMATION option parsing
"label_len" was not checked for negative values, leading to a "suffix"
buffer overflow which can lead to privilege escalation, at least if
radvd is compiled without GCC's stack protection. If radvd is invoked
without privilege separation (the -u option), this can lead to an
escalation to root privileges. Note: Red Hat Enterprise Linux starts
radvd by default with the unprivileged user. (CVE-2011-3601)

2) An arbitrary file overwrite flaw was found in radvd's
set_interface_var() function, where it did not check the interface name
(generated by the unprivileged user) and blindly overwrites a filename
with a decimal value by the root process. If a local attacker could
create symlinks pointing to arbitrary files on the system, they could
overwrite the target file contents. If only radvd is compromised (e.g.
no local access), the attacker may only overwrite files with specific
names only (PROC_SYS_IP6_* from radvd's pathnames.h). (CVE-2011-3602)

3) The radvd daemon would not fail on privsep_init() errors, which could
cause it to run with full root privileges when it should be running as
an unprivileged user. (CVE-2011-3603)

4) A number of buffer overread flaws were found in radvd's process_ra()
function due to numerous missed len() checks. This can lead to memory
reads outside of the stack, resulting in a crash of radvd.

5) A temporary denial of service flaw was found in radvd's process_rs()
function, where it would call mdelay() on the same thread in which it
handled all input. If ->UnicastOnly were set, an attacker could cause a
flood with ND_ROUTER_SOLICIT and fill the input queue of the daemon.
This would cause a brief outage of approximately MAX_RA_DELAY_TIME / 2 *
sizeof_input_queue when handling new clients, where MAX_RA_DELAY_TIME is
500ms, leading to delays of more than a minute. Note: this is only the
case in unicast-only mode; there is no denial of service in the (normal,
default) anycast mode. (CVE-2011-3605)

Attachments (0)

Change History (2)

comment:1 Changed 6 years ago by andrewsi@…

I submitted a patch to update the package to 1.8.2.

comment:2 Changed 6 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in r28381, r28382 - thanks!

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.