CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.9 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, has been found in Host (version unknown). Affected by this issue is an unknown function of the component IPv6 Fragmentation Handler. The manipulation with an unknown input leads to a code vulnerability (Generic). Using CWE to declare the problem leads to CWE-17. Impacted is availability. CVE summarizes:
An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages. (The scope of this CVE is all affected IPv6 implementations from all vendors.) The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946]. That is, employing fragmentation where not actually needed allows for fragmentation-based attack vectors to be employed, unnecessarily. We note that, unfortunately, even nodes that already implement [RFC6946] can be subject to DoS attacks as a result of the generation of IPv6 atomic fragments. Let us assume that Host A is communicating with Host B and that, as a result of the widespread dropping of IPv6 packets that contain extension headers (including fragmentation) [RFC7872], some intermediate node filters fragments between Host B and Host A. If an attacker sends a forged ICMPv6 PTB error message to Host B, reporting an MTU smaller than 1280, this will trigger the generation of IPv6 atomic fragments from that moment on (as required by [RFC2460]). When Host B starts sending IPv6 atomic fragments (in response to the received ICMPv6 PTB error message), these packets will be dropped, since we previously noted that IPv6 packets with extension headers were being dropped between Host B and Host A. Thus, this situation will result in a DoS scenario. Another possible scenario is that in which two BGP peers are employing IPv6 transport and they implement Access Control Lists (ACLs) to drop IPv6 fragments (to avoid control-plane attacks). If the aforementioned BGP peers drop IPv6 fragments but still honor received ICMPv6 PTB error messages, an attacker could easily attack the corresponding peering session by simply sending an ICMPv6 PTB message with a reported MTU smaller than 1280 bytes. Once the attack packet has been sent, the aforementioned routers will themselves be the ones dropping their own traffic.
The bug was discovered 01/16/2017. The weakness was disclosed 01/14/2017 (Website). The advisory is shared for download at securityfocus.com. This vulnerability is handled as CVE-2016-10142 since 01/14/2017. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 10/28/2022). This vulnerability has a historic impact due to its background and reception.
The vulnerability scanner Nessus provides a plugin with the ID 97962 (CentOS 6 : kernel (CESA-2017:0817)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CentOS Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 236309 (Red Hat Update for kernel Security (RHSA-2017:0817)).
Upgrading eliminates this vulnerability. A possible mitigation has been published 3 months after the disclosure of the vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (97962). The entries 94614, 94992, 99766 and 117588 are pretty similar.
Product
Name
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.9
VulDB Base Score: 7.5
VulDB Temp Score: 7.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.6
NVD Vector: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: GenericClass: Code / Generic
CWE: CWE-17
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 97962
Nessus Name: CentOS 6 : kernel (CESA-2017:0817)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 802738
OpenVAS Name: Junos ICMPv6 DoS Vulnerability
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
01/14/2017 🔍01/14/2017 🔍
01/14/2017 🔍
01/15/2017 🔍
01/16/2017 🔍
01/24/2017 🔍
03/24/2017 🔍
03/27/2017 🔍
10/28/2022 🔍
Sources
Advisory: RHSA-2017:0817⛔Status: Not defined
Confirmation: 🔍
CVE: CVE-2016-10142 (🔍)
SecurityTracker: 1038256
SecurityFocus: 95797 - IETF IPv6 Protocol CVE-2016-10142 Denial of Service Vulnerability
OSVDB: - CVE-2016-10142 - IPv6 - Atomic Fragmentation Issue
See also: 🔍
Entry
Created: 01/15/2017 10:37Updated: 10/28/2022 15:46
Changes: 01/15/2017 10:37 (80), 10/28/2022 15:35 (5), 10/28/2022 15:41 (1), 10/28/2022 15:46 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.