This article is more than 1 year old

Cisco warns IPv6 ping-of-death vuln is everyone's problem

Neighbor Discovery flaw in its routers is not specific to Switchzilla's gear

Cisco is warning network administrators about a flaw in the handling of IPv6 packets that it says extends beyond its own products.

The networking behemoth has issued a security alert detailing a vulnerability in the processing of IPv6 Neighbor Discovery (ND) packets that could allow a remote and unauthenticated miscreant to perform a denial of service (DoS) attack on various network appliances simply by feeding malformed bytes to the target. These ND packets are delivered using ICMP, and are IPv6's equivalent of IPv4's ARP.

Cisco says that it believes the vulnerability (CVE-2016-1409) is present in devices using its IOS, IOS XR, IOS XE, and NX-OS software, provided the hardware is configured with a global IPv6 address and is processing incoming traffic.

What's worse, Cisco says, is that it does not believe the issue is limited to Cisco products, and other hardware vendors are likely to be vulnerable to attack as well.

"This vulnerability is not Cisco-specific," Switchzilla warns.

"Any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability."

Cisco says that a software fix for the vulnerability in its own products is in the works. In the meantime, it is advising administrators who use the vulnerable devices to keep strict controls over the way external IPv6 traffic is handled within their networks.

"IPv6 ND packets should be limited to local links and dropping them on the edge can help protect the infrastructure. It is a commonly accepted best practice to drop these packets at the internet edge," said Cisco.

"Alternatively, configuring static IPv6 neighbors where possible and denying all IPv6 ND packets at the edge help mitigate this vulnerability."

No word yet on when the patch will be released. ®

More about


Send us news

Other stories you might like