OpenBSD hit by 'critical' IPv6 flaw

By Joris Evers
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Bug may expose encrypted e-mail
March 7, 2007; OpenBSD update promises better protection
May 3, 2006; OpenBSD founder makes funding plea
March 23, 2006; Open-source bugs undermine digital signatures
March 10, 2006

A vulnerability in the way OpenBSD handles IPv6 data packets exposes systems running the traditionally secure open-source operating system to serious attack.

A memory corruption vulnerability error exists in the OpenBSD code that handles IPv6 packets, Core Security Technologies said in an alert published Tuesday. Exploiting the flaw could let an attacker commandeer a vulnerable system, according to Core, which said it discovered the issue and crafted sample exploit code.

"This vulnerability allows attackers to gain complete control of the target system, bypassing all the operating system's security mechanisms," Core said in a statement Wednesday. Core deems the issue "critical." Security-monitoring company Secunia rates it "highly critical."

OpenBSD is one of several operating systems based on the Berkeley Software Distribution, or BSD. The most popular BSD descendents are FreeBSD, PCBSD and NetBSD, with OpenBSD coming in fourth, according to the BSDstats project.

OpenBSD is mostly known for its security enhancements and is used for firewalls, intrusion detection systems and other applications. Google is among OpenBSD users and backers. The OpenBSD team likes to tout that only a few remotely exploitable vulnerabilities have been found in the code in a decade.

A security update was issued last week to deal with the OpenBSD issue, which affects multiple releases of the operating system.

Default installations of OpenBSD are vulnerable as IPv6 is enabled and the system does not filter inbound packets, Core said. IPv6 is the next version of the Internet Protocol designed to support a broader range of IP addresses as the IP version 4 addresses currently in use become more scarce.

To exploit the vulnerability, an attacker must have the ability to send malicious IPv6 packets to the target system or be on the same network, Symantec said in an alert. The Cupertino, Calif., security company raised its ThreatCon to level 2 because of the issue, which means attacks are expected.

As a work-around for users who can not apply the OpenBSD patch or who do not need to process or route IPv6 traffic on their systems, all inbound IPv6 packets can be blocked by using Openness' firewall.

See more CNET content tagged:
OpenBSD, Core Security Technologies, IPv6, packet, BSD

Add a Comment (Log in or register) 5 comments

It is easy to fix
by Shef Seattle March 14, 2007 11:56 AM PDT: The good thing is all OpenBSD users are computer experts which can find the bug in the source code and re-compile the networking stack. So it is not a big threat for the open source community, unlike evil Microsoft; Reply to this comment View reply
Processing

OpenBSD coming in -- second.
by Solaris_User March 14, 2007 3:10 PM PDT: OpenBSD is much more widely used than PCBSD or NetBSD.

Even the best OS's fail .. what is it now.. twice in 10 years.

Good job OpenBSD team! Your security record is VERY impresive.; Reply to this comment

Latest tech news headlines

Report: MP3 players threaten users' hearing
Posted in News - Digital Media by Steven Musil

October 12, 2008 2:30 PM PDT
280 Slides: PowerPoint made fast and easy, online
Posted in Webware by Bob Walsh

October 12, 2008 1:26 PM PDT
More MacBook rumors and pics surface
Posted in News - Apple by Dan Farber

October 12, 2008 1:22 PM PDT
See all headlines

Resource center from News.com sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
IBM invests in business partners' training
A business development fund aims to encourage its largest partners to take up more skills training around data centers.
Gallery
Photos: Top 10 reviews of the week
News - Apple
More MacBook rumors and pics surface
With the new MacBook unveiling on Tuesday, the blogosphere is alive with the latest rumors and pictures of Apple's new hardware.
Coop's Corner
Ellison's mantra: Spend, baby, spend
It may be hell out there, but Oracle's chief tells shareholders the company still intends to shop for more acquisitions.
Video
Sprint launches Xohm WiMax
News - Digital Media
Report: MP3 players threaten users' hearing
People who listen to personal music players for only five hours a week at a high volume may be doing permanent damage to their hearing, according to a team of EU experts.
Video
Talking with Newt Gingrich on tech, bailout
News - Politics and Law
President signs broadband data collection bill
The Broadband Data Act encourages wider collection of information regarding nationwide access to broadband.
News - Cutting Edge
Academics sink teeth into Yahoo search service
Yahoo hopes its Build Your Own Search Service program has piqued the interest of academic researchers. Next stop: start-ups.
Gallery
Photos: Cracking open Apple's revamped iPod Nano
Webware
280 Slides: PowerPoint made fast and easy, online
280 Slides is a notable online replacement for desktop presentation apps.
Green Tech
Urban wind power inspired by ancient Persia
The shape of urban wind power continues to morph. The latest twist come from Windation, a company with a design inspired by centuries-old "wind catchers."