Remotely Crash OpenBSD

*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

Does this count?

[DNAspark99]

Or can OpenBSD still boast "Only one remote hole in the default install, in more than 7 years!" ?

Patch for production systems?

[agentZ]

I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata [openbsd.org] page.

What's a sane admin to do?

Re:Does this count?

[Richard_at_work]

IPv6 is available in the base install, but you have to actually have an IPv6 address assigned that people can get to to exploit this issue. Its really a non issue for the 99% of people running OpenBSD out there, but for some, like myself, its time to upgrade.

about ipv6

[MrLint]

Not log ago there was an article about not only how ipv6 isnt needed, but that since its 'new' code, it has a lot of problems that have long since been worked out of ipv4. Is this an example of that? Should we worry?

I have to ask myself that with all of the decades of experience that has gone into ipv4 development and hacking and exploiting, are these fears justified? Have all the glitches in ipv4 been found? and if so isnt it trivial to avoid the same early mistakes in ipv6. Does this particular problem have a ipv4 analog? Is it even a stack theory issue? Is it just an implementation oversight?

Does anyone have any insight?

Re:Patch for production systems?

[Ryvar]

Do what I did last night before I even knew about this - comment IPV6 completely out of your kernel entirely for effiency's sake.

One of the reasons OpenBSD tends to be more secure is because it ships with *almost* everything off. However, there's a solid 10+ default user accounts, 3-4 default services (sshd, sendmail, inetd/portmap), and 75+ kernal/device options you should remove/recompile out upon installation (this is all assuming your only purpose is to create an x86-based router).

Yes, you'll need to muck about with /etc/mtree/special and /var/cron/tabs a bit to keep everything from whining to syslog constantly, but every unnecessary thing removed is a potential exploit avoided.

--Ryv

Dont worry...

[Anonymous Coward]

you would HAVE to be connected to the 6bone to get a ipv6 packet. Or have the attacker on your own network running ipv6 and trick you into becoming configured onto the same /64 prefix....not many of us have a ipv6 tunnel (thank you hurricane electric). So this affects very very very few people. you know who you are, and are patching now.
--jboss

Re:Just a crash? Crash == DoS, no?

[wirelessbuzzers]

I thought Theo's comment sounded really arrogant, too. But you might note that the author quoted it with no context, so who knows whether it was in real life.

Now as for Microsoft, if MS patched something within... no, wait, it was patched before the bug came out... anyway, we'd cut them a bit more slack.

cogito = think, ergo = therefore, sum = am

[Anonymous Coward]

What does "cogitoergosum" mean?

Cogito ergo sum:

http://lysy2.archives.nd.edu/cgi-bin/words.exe?cog ito+ergo+sum [nd.edu]

Rene Descartes, Discourse on Methode, Part 4:

I AM in doubt as to the propriety of making my first meditations in the place above mentioned matter of discourse; for these are so metaphysical, and so uncommon, as not, perhaps, to be acceptable to every one. And yet, that it may be determined whether the foundations that I have laid are sufficiently secure, I find myself in a measure constrained to advert to them. I had long before remarked that, in (relation to) practice, it is sometimes necessary to adopt, as if above doubt, opinions which we discern to be highly uncertain, as has been already said; but as I then desired to give my attention solely to the search after truth, I thought that a procedure exactly the opposite was called for, and that I ought to reject as absolutely false all opinions in regard to which I could suppose the least ground for doubt, in order to ascertain whether after that there remained aught in my belief that was wholly indubitable. Accordingly, seeing that our senses sometimes deceive us, I was willing to suppose that there existed nothing really such as they presented to us; and because some men err in reasoning, and fall into paralogisms, even on the simplest matters of Geometry, I, convinced that I was as open to error as any other, rejected as false all the reasonings I had hitherto taken for demonstrations; and finally, when I considered that the very same thoughts (presentations) which we experience when awake may also be experienced when we are asleep, while there is at that time not one of them true, I supposed that all the objects (presentations) that had ever entered into my mind when awake, had in them no more truth than the illusions of my dreams. But immediately upon this I observed that, whilst I thus wished to think that all was false, it was absolutely necessary that I, who thus thought, should be somewhat; and as I observed that this truth, I think, hence I am, was so certain and of such evidence, that no ground of doubt, however extravagant, could be alleged by the Sceptics capable of shaking it, I concluded that I might, without scruple, accept it as the first principle of the Philosophy of which I was in search.

http://www.bartleby.com/34/1/4.html [bartleby.com]

Re:Maybe time to drop this "securitier than thou"

[DeltaSigma]

What I've been wondering is if anyone has read any of the literature regarding OpenBSD's methodology. I recally it being expressly mentioned that they would rather have the machine crash than have it rooted. Which is a good idea if you cannot risk a break-in. They try to break-in, you crash, and now you're in a more secure state (off) than you were when they attacked you.

Re:Patch for production systems?

[Ryvar]

Smart.

If I setup the system for mail - which I don't do for a simple firewall - I also use Postfix. Only other alternative is qmail and DJB's stuff is just too much of a PITA/non-standard.

--Ryv

Re:Dont make it sound like the end of the world

[Anonymous Coward]

IPv6 might not be of any interest to you (probably american?), but in some parts of the world IPv6 is in production networks. Even though China has their "big firewall" it doesn't do nat...

As well, ssh is typically the first thing to run on IPv6, as it's a neat way to tunnel other protocols before they are ported... Oh, and if you have IPv6 support in ssh, it will default to IPv6 first (IPv6 addresses are returned before IPv4 addresses by the resolver).

Re:Oh well...

[kl76]

Who the heck is Spyder Inc? The TCP/IP stack in NT 3.1 was the STREAMS-based SpiderTCP 6 (IIRC) from Spider Systems Ltd. (I used to work for them). This in turn used some BSD code. This stack was replaced in NT 3.5, with a stack alledgedly written from scratch at Microsoft according to this [kuro5hin.org].

MSFT Can't Win

[Anonymous Coward]

Forgetting corporate inertia for a moment, you have the choice of hurried, not thoroughly tested, patches; or waiting weeks while they test it thoroughly.

Think of the sheer number of test cases. You've got how many different versions of Windows still supported. Multiply that by all the apps MSFT sells (e.g.: Office) and all the apps that major corporations also run (e.g. Oracle). Multiply by a few hundred hardware platfroms.

I'm not particulary fond of MSFT myself, but complaining about the speed AND quality of their patches reflects poorly on you.