Security Advisory 0604
Summary : Input Validation error in Teredo tunnel
Date : 31 December 2006
Affected versions : Miredo 1.0.5 down to 0.9.8
ID : MTFL-SA-0604
Details
Authentication of a Teredo bubble (as part of UDP hope punching) with HMAC-MD5-64 hashing is done improperly and can easily be spoofed by a malicious third party.
Impact
If successful, a malicious third party could use this vulnerability to impersonate an arbitrary Teredo client toward any Teredo relay or any other Teredo client running the vulnerable software.
As far as is known, this bug cannot be exploited to run arbitrary code remotely.
Threat mitigation
Exploitation of this bug requires previous knowledge of the victim’s Teredo IPv6 address (which is made of the victim’s public IPv4 address, UDP port number, and cone NAT flag, plus the victim’s Teredo server’s primary IPv4 address).
For security-sensitive application, trust and access should never be granted on the sole basis of the peer’s IPv6 address. We strongly recommend using a shared secret and/or keypair-based signature and authentication algorithm (such as those included in TLS/SSL or IPsec), for sensitive application.
Workarounds
There is no known proper workaround for Teredo clients and relays.
Solution
Upgrade to Miredo version 1.0.6.
Credits
This bug was discovered internally.
References
None.
History
31 December 2006
Miredo 1.0.6 released
Initial detailled security advisory
30 December 2006
Patch applied to development tree
Bug discovered in Miredo development trunk