Connecting state and local government leaders
The vulnerability, an IPv6 version of a flaw that was fixed more than a decade ago, is one more reason to be aware of the IPv6 traffic agency networks.
The latest round of patches from Microsoft includes a fix for an ICMPv6 vulnerability in all of the company’s operating systems that support IPv6.
The vulnerability, rated “important,” is an IPv6 version of the old Ping of Death, a denial of service attack that originally was fixed more than a decade ago. The current version was reported by Symantec’s Basil Gabriel, and no public exploits of it had been reported at the time Microsoft released the security bulletin on Aug. 13.
But it is one more reason to be aware of the fact that whether or not an agency is using IPv6 on its network, modern operating systems support the new Internet Protocols out of the box and network admins need to be aware of traffic using them.
The ICMPv6 vulnerability was one of eight security bulletins in Microsoft’s Aug. 13 Patch Tuesday release. Three were rated critical and five important.
ICMP, the Internet Control Message Protocol, is a utility for error reporting and diagnostics used in IP networks, and is implemented in Version 6 as well as Version 4 of the Internet Protocols. One of its functions is pinging — using an echo request packet to measure the time of a round trip for a message to a specified IP address. Like many other denial of service attacks, a ping flood uses a high volume of these packets to overwhelm a target. But it was found in the 1990s that a single malformed ping packet larger than the size allowed in IPv4 could cause a buffer overflow when it was reassembled by the host operating system, causing it to crash.
This was fixed in most operating systems by 1998, but Gabriel found that at least some operating systems had the same problem reassembling oversize packets under ICMPv6. This is not a problem in ICMP, which is a required part of IP networking, but it does affect Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012 and Windows RT. As Microsoft describes it, “the vulnerability is caused when the TCP/IP stack does not properly allocate memory for incoming ICMPv6 packets.”
The patch corrects memory allocation while processing these packets, and the problem also can be handled by firewalls that detect and block the malformed packets. So with a properly configured firewall and an updated OS, the resurrected Ping of Death should not be a problem. It does offer a reminder that IPv6 will present a host of security challenges, however. Some will be new unique to the new protocols and some will be recycled versions of problems already addressed in IPv4.
Until recently, the surest way to dodge challenges like this was to avoid IPv6 altogether. This tactic is quickly becoming an impractical — and soon impossible — solution. Current operating systems and other technologies support IPv6 out of the box, and many prefer the new protocols by default, making it difficult to opt out. With the depletion of new IPv4 addresses available for assignment, future growth in the Internet will be in the IPv6 address space, making it necessary for networks to accommodate the new traffic.
All of this aside, federal agencies are under order to enable IPv6 on their networks. Starting this as early as possible and doing it with a security plan in place will help make the process less risky.