[arch-security] [ASA-201605-26] libndp: man-in-the-middle
Arch Linux Security Advisory ASA-201605-26 ========================================== Severity: Medium Date : 2016-05-24 CVE-ID : CVE-2016-3698 Package : libndp Type : man-in-the-middle Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package libndp before version 1.6-1 is vulnerable to man-in-the-middle attacks. Resolution ========== Upgrade to 1.6-1. # pacman -Syu "libndp>=1.6-1" The problem has been fixed upstream in version 1.6 Workaround ========== None. Description =========== Libndp before version 1.6 does properly validate and check the origin of Neighbor Discovery Protocol (NDP) messages. An attacker on a non-local network can exploit this flaw to advertise a node as a router, which allows them to re-route the traffic through an attacker-controlled node. Impact ====== A remote unauthenticated attacker is able to send specially crafted messages to a client and act as a man-in-the-middle between the client and a server or disrupt client traffic. References ========== https://access.redhat.com/security/cve/CVE-2016-3698 https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d402911...
participants (1)
-
Levente Polyak