Linux Kernel IPv6 ICMP Error Handling Vulnerability Allows ICMPv4 Injection

A vulnerability in the Linux kernel's handling of IPv6 ICMP error messages can be exploited by sending forged ICMPv4 error packets. This issue arises because the IPv4 ICMP error packet is incorrectly processed, allowing an attacker to manipulate the IPv6 packet data. The vulnerability is present in the Linux kernel stable tree and affects the ICMP error generation function for IPv6.

Impact

Exploitation of this vulnerability could lead to incorrect processing of ICMPv6 packets, potentially allowing an attacker to inject false information or manipulate network traffic in a harmful way.

Reproduction

To reproduce this vulnerability, send a crafted ICMPv4 error packet that includes a CIPSO IP option. This packet will be received by the Linux system, where it will be processed as an ICMPv6 error. The vulnerability lies in the fact that the IPv4 options are not properly cleared before the packet is handled as IPv6, leading to a situation where the IPv4 option data can interfere with the IPv6 processing.

Remediation

The vulnerability has been addressed in a patch that clears the IPv6 control block in the error handling function. This patch is included in the latest version of the Linux kernel.