CVE-2015-2924

NetworkManager: denial of service (DoS) attack against IPv6 network stacks due to improper handling of Router Advertisements

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The receive_ra function in rdisc/nm-lndp-rdisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in NetworkManager 1.x allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message, a similar issue to CVE-2015-2922.

La función receive_ra en rdisc/nm-lndp-rdisc.c en la implementación del protocolo Neighbor Discovery (ND) en la pila IPv6 en NetworkManager 1.x permite a atacantes remotos reconfigurar un ajuste de límite de salto a través de un valor hop_limit pequeño en un mensaje Router Advertisement (RA), un problema similar a CVE-2015-2922.

A flaw was found in the way NetworkManager handled router advertisements. An unprivileged user on a local network could use IPv6 Neighbor Discovery ICMP to broadcast a non-route with a low hop limit, causing machines to lower the hop limit on existing IPv6 routes. If this limit is small enough, IPv6 packets would be dropped before reaching the final destination.

NetworkManager is a system network service that manages network devices and connections. It was discovered that NetworkManager would set device MTUs based on MTU values received in IPv6 RAs, without sanity checking the MTU value first. A remote attacker could exploit this flaw to create a denial of service attack, by sending a specially crafted IPv6 RA packet to disturb IPv6 communication. A flaw was found in the way NetworkManager handled router advertisements. An unprivileged user on a local network could use IPv6 Neighbor Discovery ICMP to broadcast a non-route with a low hop limit, causing machines to lower the hop limit on existing IPv6 routes. If this limit is small enough, IPv6 packets would be dropped before reaching the final destination.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-04-04 CVE Reserved
2015-09-25 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-358: Improperly Implemented Security Check for Standard

CAPEC

References (8)

URL	Tag	Source
http://openwall.com/lists/oss-security/2015/04/04/2	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	X_refsource_confirm
http://www.securityfocus.com/bid/76879	Vdb Entry

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157803.html	2016-12-07
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158103.html	2016-12-07
https://security.gentoo.org/glsa/201509-05	2016-12-07
https://access.redhat.com/security/cve/CVE-2015-2924	2015-11-19
https://bugzilla.redhat.com/show_bug.cgi?id=1209902	2015-11-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Networkmanager Project Search vendor "Networkmanager Project"		Networkmanager Search vendor "Networkmanager Project" for product "Networkmanager"				<= 1.0.7 Search vendor "Networkmanager Project" for product "Networkmanager" and version " <= 1.0.7"		dev		Affected