OpenBSD Remote Exploit

OpenBSD is usually touted as one of the most secure networked operating systems. Of course, part of that reputation was gained because for years it's disabled unnecessary services (or even sometimes mostly necessary ones -- like SSH) by default. Still, defaults aside, OpenBSD.org has for many years now had the tag-line, "Only one remote hole in the default install, in more than 10 years!" Just in the last few days, however, that tag-line has changed. The count's now jumped to two remote holes in the default install. It turns out that a relatively straight-forward vulnerability in the IPv6 packet handling handling exposes any OpenBSD (well, versions 3.1, 3.6, 3.8, 3.9, 4.0 Stable and Current, and OpenBSD 4.1 prior to Feb. 26th, 2006) machine on an IPv6 routed network. Even when deployed on a IPv4 only network, the IPv6 interface is enabled by default and would still be available on on the local subnet, though this does mitigate the risk of the vulnerability somewhat.

Core Securities found the vulnerability and worked together with the OpenBSD team, but from the vendor contact log included in the advisory, there are definitely hints that maybe the OpenBSD team is a little rusty in handling security events, or the usual "responsible disclosure" mechanism didn't quite function as well as designed. Not only did the OpenBSD folks initially deny the "vulnerability" status of the bug (believing it was only a remote denial of service), but it also appears public disclosure of the vulnerability was done without coordination (see the "Release Mode" section of Core's alert).

All that aside, working exploit code is included in the Core advisory, and patches are available (and in a relatively short period of time), so if you're running OpenBSD, make sure you get yours:

http://www.openbsd.org/errata39.html#m_dup1http://www.openbsd.org/errata40.html#m_dup1