Security experts are urging Microsoft and Juniper to patch a year-old IPv6 vulnerability so dangerous it can freeze any Windows machine on a LAN in a matter of minutes.
Microsoft has downplayed the risk because the hole requires a physical connection to the wired LAN. Juniper says it has delayed a patch because the hole only affects a small number of its products and it wants the IETF to fix the protocol instead.
he vulnerability was initially discovered in July 2010 by Marc Heuse, an IT security consultant in Berlin. He found that products from several vendors were vulnerable, including all recent versions of Windows, Cisco routers, Linux and Juniper’s Netscreen. Cisco issued a patch in October 2010, and the Linux kernel has since been fixed as well. Microsoft and Juniper have acknowledged the vulnerability, but neither have committed to patches.
The hole is in a technology known as router advertisements, where routers broadcast their IPv6 addresses to help clients find and connect to an IPv6 subnet. The DoS attack involves flooding the network segment with random RAs, which eats up CPU resources in Windows until the CPU is overloaded and a hard reboot is required. “For Windows, a personal firewall or similar security product does not protect against this attack, as the default filter rules allow these packets through,” explains Heuse.
Heuse became so frustrated with Microsoft’s refusal to fix the hole that he published his findings to the Full Disclosure mailing list on April 15. He notes that Microsoft has not even issued a security advisory warning users of the problem. Other Windows networking and security experts have also urged Microsoft to fix the problem, and sources have said that there are even employees inside Microsoft who have been trying to nudge the company to action.
Microsoft has little to say on the subject. “Microsoft is aware of discussions in the security community concerning a technique by which a Windows server or workstation on a target network may experience unprompted high resource utilization caused by an attacker broadcasting malicious IPv6 router advertisements. The attack method described
would require that a would-be attacker have link-local access to the targeted network — a situation that does not
provide a security boundary,” a Microsoft spokesperson told Network World.
At last week’s Rocky Mountain IPv6 Summit in Denver, Ed Horley began his talk about IPv6 in Windows networks by warning attendees about a dangerous DoS vulnerability that Microsoft has so far shown no interest in fixing. I had a longer conversation about it with Horley. He pointed me to the YouTube video below that shows the hole in action.
I’ve documented much more information about the hole and how users and security expert have been asking and asking Microsoft to fix it in this related story: Microsoft, Juniper urged to patch dangerous IPv6 DoS hole
. Juniper, too, has been informed it has some products that are vulnerable and it doesn’t want to patch the hole either — it wants the IETF to fix the protocol.
In the meantime, anyone on a LAN with a Windows machine that has IPv6 running (turned on by default in Microsoft’s most recent versions) is at risk. The hole has been publicly disclosed, too.
This video was produced by Sam Bowne, a computer networking instructor at City College San Francisco who has also been pressuring Microsoft to fix the hole.
However, experts aren’t buying it. The hole is “very easy to fix,” Heuse says, and Microsoft has a long history of addressing DoS holes on the local LAN that have far less of an impact. He points to Microsoft fixing a similar issue in 2008 of its implementation of IPv4. Meanwhile, Microsoft has also committed to fixing another issue he recently reported to the company which he describes as “a very minor vulnerability of detecting if a host is sniffing. It, too, is only possible on the local LAN.” His conclusion is that there is a political issue inside Microsoft where the “responsible team does not want to fix these kinds of issues anymore.”