Kasperksy today released an update to its personal firewall product for Windows. The patched vulnerability fits very nicely into our current focus on IPv6. 

A packet with a large "Destination Header" caused the firewall to crash and drop all traffic. 

IPv6 uses a very minimal IP header. Instead of providing space for options or fragmentation fields, many of these features are now fulfilled by extension headers. As a rule of thumb, most of your packets passing a firewall will not use extension headers. But extension headers do pose a challenge to firewalls.

In IPv4, following the IPv4 header is typically a transport protocol header like TCP or UDP. A firewall needs to collect information from IP as well as transport protocol header in order to make its filtering decission. For IPv4, the maximum IPv4 header size is 60 bytes and another 60 bytes can be used for the TCP header. 

In IPv6, one or more extension headers may be inserted between IPv6 and transport header. Some of these extension headers can be up to 2kBytes in length. As a result, firewalls need to inspect more data in order to make a filter decision about the packet. 

The vulnerability in Kasperky's product was found using the THC IPv6 test suite. It includes a tool "firewall6" that can be used to create various odd and malformed IPv6 packet to test firewalls. Several of the options (for example test 18 and 19) produce packets will destination headers exceeding 2,000 bytes. These tests crashed Kaspersky's firewall.

An exerpt from a packet created by test 19 is shown below:

Internet Protocol Version 6, Src: fe80::20c:29ff:fe27:cb5a (fe80::20c:29ff:fe27:cb5a), Dst: ff02::1 (ff02::1)
    0110 .... = Version: 6
    Next header: IPv6 fragment (44)
    Hop limit: 255
    Destination: ff02::1 (ff02::1)
    Fragmentation Header
    Destination Option
        Next header: IPv6 destination option (60)
        Length: 254 (2040 bytes)
        IPv6 Option (Pad1)
    ....

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter