Описание
IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.
A flaw was found in the IP-in-IP protocol. An unauthenticated attacker can use the IP-in-IP protocol to route network traffic through a vulnerable device, which can lead to spoofing, access control bypasses, and other unexpected network behaviors.
Отчет
The IP-in-IP encapsulation is 'in the clear' tunnel protocol between two hosts. When the module is loaded, the system will be in an 'any-to-any' routing state. It will accept any "IP in IP" packets and forward them through the system routing chains. No authentication, encryption or restrictions is created between endpoints by the kernel module. Until a configuration rule is set, any system that can send "IP in IP" packets to an unconfigured system with the ipip kernel module loaded will be unwrapped and forwarded. There is an area of opportunity between module loading and configuration that may allow for an attacker to abuse this flaw. When a tunnel device is created this will restrict the source and destination of the tunnelled packets. The content of the tunnelled data remains unencrypted and unauthenticated. Red Hat Product Security strongly recommends using authenticated and encrypted tunnels such as IPSec, VPN or libreswan if tunnelling between networks is required.
Меры по смягчению последствий
Systems that have IP in IP kernel modules loaded will need to unload the "ipip" kernel module and blacklist it to prevent the module from being used a fix has been provided ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules). Take careful consideration that if unloading and blacklisting the module, this may create a one-time attack vector window for a local attacker. Consider using an alternative authenticated and encrypted tunnelling protocol until a suitable solution is developed.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-alt | Not affected | ||
| Red Hat Enterprise Linux 7 | kernel-rt | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel | Not affected | ||
| Red Hat Enterprise Linux 8 | kernel-rt | Not affected | ||
| Red Hat Enterprise MRG 2 | kernel | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing.
Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors.
Уязвимость операционной системы Cisco NX-OS, связанная с обходом аутентификации посредством спуфинга, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3