Linux Kernel Netfilter Invalid MAC Header Validation Vulnerability in EUI-64 Derivation

A vulnerability exists in the Linux kernel's netfilter component, specifically within the ip6t_eui64 module. The issue arises in the EUI-64 derivation process, where an invalid MAC header can be accepted under certain conditions. The function 'eui64_mt6()' modifies the EUI-64 based on the Ethernet source address and compares it to the IPv6 source address. However, the current validation only rejects invalid MAC headers when 'par->fragoff' is not zero. This oversight allows packets with a zero fragment offset to bypass the check, potentially leading to incorrect header processing. The vulnerability has been addressed by removing the 'par->fragoff' condition, ensuring that all packets with invalid MAC headers are rejected before the Ethernet header is accessed.

Impact

Exploitation of this vulnerability could lead to improper handling of network packets, allowing invalid MAC headers to be processed, which could disrupt network communication or be leveraged for further attacks.

Reproduction

To reproduce this vulnerability, send IPv6 packets with an invalid MAC header while ensuring the fragment offset is set to zero. The 'eui64_mt6()' function will process these packets without rejecting the invalid header, demonstrating the flaw in the validation logic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available in the Linux kernel documentation.