lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <456CFD8C.6030607@spaghetti.zurich.ibm.com>
Date: Wed, 29 Nov 2006 03:25:00 +0000
From: Jeroen Massar <jeroen@...ix.org>
To: Jim Hoagland <jim_hoagland@...antec.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] New report on Teredo security

Jim Hoagland wrote:
> Hello all,
> 
> For anyone that is interested, there is a new report available about Teredo
> security:
>   http://www.symantec.com/avcenter/reference/Teredo_Security.pdf

One very simple solution (at least as far as I know ;) is to block, the
in the paper mentioned, UDP port 3544 and the Teredo client can't reach
any of the servers anymore for an initial contact, thus won't find
relays to talk.

If the user is willing + able to tweak those ports or other things they
can also find their way out of your network over a HTTP-through-proxy or
NSTX (IP over DNS) and various other models.

There are enough covert channel possibilities, as such Teredo is not a
thread per se. The big problem though is that it is there by default (at
least on Vista and also on XP's that have IPv6 installed).
Administrators should thus be made very aware of this; then again if
they still are not aware of this problem they are probably completely
ignorant of IPv6, and that was one of the reasons that this protocol
exists in the first place ;)

For (net)admins the solutions are:
 - Enable IPv6 and provide native IPv6 to their users,
   as then in Vista/XP Teredo is not used.
 - block UDP port 3544

Smart admins that don't want to enable their full network to do IPv6 yet
(eg no firewall that supports it or no numbering plan, no upstream that
can provide it etc), might simply opt to do IPv6 Route Advertisements
anyway using 2001:db8::/32 (documentation) as a prefix. The router that
advertises the prefix should then send ICMPv6 destination unreaches for
everything, effectively blocking IPv6 connectivity and because of the
RA, Vista's/XP's Teredo is disabled. Note that Vista/XP also try and do
ISATAP and 6to4 automatically to get out of the NAT box.

Greets,
 Jeroen


Download attachment "signature.asc" of type "application/pgp-signature" (312 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ