Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <8e576567-21d3-46cc-be09-ac9e0403d18f@oracle.com>
Date: Tue, 21 Jan 2025 12:51:43 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: CERT/CC VU#199397 - Insecure Implementation of Tunneling Protocols
 (GRE/IPIP/4in6/6in4)

https://kb.cert.org/vuls/id/199397 discusses 4 vulnerabilities in the
definitions of tunneling protocols, which may be implemented in Open
Source software, though they don't list any open source implementations
as affected yet in the Vendor Information section.

The CERT note currently states:

> Vulnerability Note VU#199397
> Original Release Date: 2025-01-17 | Last Revised: 2025-01-17
> 
> Overview
> --------
> 
> Tunnelling protocols are an essential part of the Internet and form
> much of the backbone that modern network infrastructure relies on
> today. One limitation of these protocols is that they do not
> authenticate and/or encrypt traffic. Though this limitation exists,
> IPsec can be implemented to help prevent attacks. However,
> implementation of these protocols have been executed poorly in some
> areas.
> 
> For the latest security findings from the researchers at the
> DistriNet-KU Leuven research group, please refer to:
> https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
> 
> Description
> -----------
> 
> Researchers at the DistriNet-KU Leuven research group have discovered
> millions of vulnerable Internet systems that accept unauthenticated
> IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a
> generalization of the vulnerability in VU#636397 : IP-in-IP protocol
> routes arbitrary traffic by default (CVE-2020-10136). The exposed
> systems can be abused as one-way proxies, enable an adversary to spoof
> the source address of packets (CWE-290 Authentication Bypass by
> Spoofing), or permit access to an organization's private
> network. Vulnerable systems can also facilitate Denial-of-Service
> (DoS) attacks. Two types of DoS attacks exploiting this vulnerability
> can amplify traffic: one concentrates traffic in time
> ("Tunneled-Temporal Lensing"), and the other can loop packets between
> vulnerable systems, resulting in an amplification factor of at least
> 13- and 75-fold, respectively. Additionally, the researchers
> discovered an Economic Denial of Sustainability (EDoS), where the
> outgoing bandwidth of a vulnerable system is drained, raising the cost
> of operations if hosted by a third-party cloud service provider.
> 
> Impact
> ------
> 
> An adversary can abuse these security vulnerabilities to create
> one-way proxies and spoof source IPv4/6 addresses. Vulnerable systems
> may also allow access to an organization's private network or be
> abused to perform DDoS attacks.
> 
> Solution
> --------
> 
> See the "Defences" section in the researcher's publication
> https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf
> 
> Acknowledgements
> ----------------
> 
> Thanks to the researchers Mathy Vanhoef and Angelos Beitis of the
> DistriNet-KU Leuven research group for the initial discovery and
> research. This document was written by Ben Koo.
> 
> 
> 
> CVE-2024-7595 GRE and GRE6 Protocols (RFC2784) do not validate or
> verify the source of a network packet, allowing an attacker to route
> arbitrary traffic via an exposed network interface that can lead to
> spoofing, access control bypass, and other unexpected network
> behaviors. This can be considered similar to CVE-2020-10136.
> 
> CVE-2024-7596 Proposed Generic UDP Encapsulation (GUE) (IETF
> draft-ietf-intarea-gue*) does not validate or verify the source of a
> network packet, allowing an attacker to route arbitrary traffic via an
> exposed network interface that can lead to spoofing, access control
> bypass, and other unexpected network behaviors. This can be considered
> similar to CVE-2020-10136.
> 
> *Note: GUE Draft is expired and no longer canonical.
> 
> CVE-2025-23018 The IPv4-in-IPv6 and IPv6-in-IPv6 protocols (RFC2473)
> do not require the validation or verification of the source of a
> network packet, allowing an attacker to route arbitrary traffic via an
> exposed network interface that can lead to spoofing, access control
> bypass, and other unexpected network behaviors. This can be considered
> similar to CVE-2020-10136.
> 
> CVE-2025-23019 The IPv6-in-IPv4 protocol (RFC4213) does not require
> authentication of incoming packets, allowing an attacker to route
> traffic via an exposed network interface that can lead to spoofing,
> access control bypass, and other unexpected network behaviors.
> 
> Note: CVE-2024-7595, CVE-2024-7596, and CVE-2025-23018 are considered
> similar to CVE-2020-10136 in that they highlight the inherent weakness
> that these protocols do not validate or verify the source of a network
> packet. These distinct CVEs are meant to specify the different
> protocols in question that are vulnerable.
> 
> For reference: (CVE-2020-10136) Multiple products that implement the
> IP Encapsulation within IP (IPIP) standard (RFC 2003, STD 1)
> decapsulate and route IP-in-IP traffic without any validation, which
> could allow an unauthenticated remote attacker to route arbitrary
> traffic via an exposed network interface and lead to spoofing, access
> control bypass, and other unexpected network behaviors.
> 
> References
> 
>     https://datatracker.ietf.org/doc/draft-ietf-intarea-gue/
>     https://www.rfc-editor.org/rfc/rfc6169.html
>     https://datatracker.ietf.org/doc/html/rfc2784
>     https://nvd.nist.gov/vuln/detail/CVE-2020-10136

See the Vendor Information section of the note at
  https://kb.cert.org/vuls/id/199397
for the latest information from the various implementations.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.