CVE-2004-0257

Vulnerability

An IPv6 packet with a small MTU combined with a subsequent TCP connect to a listening port causes a crash in OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 [1]. The vulnerability lies in the TCP/IP stack handling of ICMPv6 messages when the MTU is set below a required minimum, leading to a kernel panic. The bug is triggered by a remote attacker sending an ICMPv6 packet that sets a small MTU (e.g., less than 1280 bytes) to a host with a listening TCP port, and then performing a TCP connect to that port [1].

Exploitation

An attacker needs network access to send crafted IPv6 packets to the target host. No authentication is required. The attack sequence is: (1) send an IPv6 ICMPv6 packet that sets a small MTU toward the target host; (2) subsequently initiate a TCP connection to any listening port on that host [1]. The small MTU causes the kernel to enter an invalid state during the TCP handshake, resulting in a crash [1]. The exploit can be conducted remotely without user interaction.

Impact

Successful exploitation causes a remote denial of service (kernel crash) on the affected system [1]. The crash leads to a system panic and requires a reboot to restore service. There is no evidence of code execution or privilege escalation, though the reporter noted it was unknown whether code execution may be possible [1].

Mitigation

The advisory explicitly tested OpenBSD 3.4 and confirmed FreeBSD is not vulnerable; NetBSD 1.6 and 1.6.1 are also affected [1]. No vendor patch was mentioned in the references. Mitigation includes filtering or blocking incoming ICMPv6 packets with a small MTU at the network perimeter, or disabling IPv6 on affected systems until patches are applied. As of the publication date (2004-02-04), no fix from the vendor was disclosed.