Support Announcements
COVR-2600R & COVR-3902 Kit :: Kit H/W Rev. Ax :: F/W v1.01 :: IPv6 DDoS Routing Loop Vulnerability

Overview


On January 11, 2021, a 3rd party security researcher from Tsinghua University's Network and Information Security Laboratory submitted a report accusing the COVR-3902 using firmware v1.01 of a DDoS vulnerability. The vulnerability uses an exploit in the device's IPv6 forwarding routing loop handling, which could amplify the traffic into a DDoS attack between the upstream router and the affected COVR-3902.
 
The COVR-3902, or COVR-3902-US in the United States, is a Kit including the COVR-2600R WiFi Router and the COVR-1300E WiFi Extender. This vulnerability affects the Router device in the kit, COVR-2600R.
 
The reported vulnerability was confirmed, and a patch has been released to close the security issue.


3rd Party Report information

 

          - Report provided:Xiang Li, Network and Information Security Lab, Tsinghua University ::

                                         x-l19 _at_ mails _dot_ tsinghua _dot_ edu _dot_ cn

 
          - Reference :
To Be Post upon author's public disclosure

 

(Quoted from Original Support by 3rd Party)

For a home router connecting an ISP's broadband network, its WAN interface is assigned a globally unique IPv6 prefix (e.g., 2001:db8:1:5678::/64), and its LAN network is delegated a globally addressable IPv6 prefix (e.g., 2001:db8:2:1230::/60) as well by its upstream ISP router.

According to the IPv6 address and routing module, the home router picks one 128-bits IPv6 address as its WAN interface's address (e.g., 2001:db8:1:5678:1111:2222:3333:4444) and assigns one /64 sub-prefix to its LAN network (e.g., 2001:db8:2:1230::/64). Then, the home router inserts two routes into its routing table.

During the routing process, for the ISP router, any packet with a destination within the 2001:db8:1:5678::/64 or 2001:db8:2:1230::/60 would be transmitted to the home router. Whereas for the home router, any packet with a destination, not the 2001:db8:1:5678:1111:2222:3333:4444 or not within the 2001:db8:2:1230::/64, would be sent back to the ISP router, following the default routing policy.

As a result, such a packet would be forwarded between the ISP router and the home router until the Hop Limit field in the IPv6 header is zeroed out. The maximum value of this field is 255. Thus, the loops can amplify traffic with a ratio of >200 (minus the former hop count). What's worse, if we fake the source IPv6 address with the same Not-used Prefix and address, we could double the loop times or more.

    

 Affected Models

 

Model Hardware Revision Affected FW Fixed FW Recommendation  Last Updated
COVR-2600R All Ax Hardware Revisions v1.01 & Below
v1.01b05_Beta01 Hotfix Please download and update 04/12/2021

  

Regarding Security patch for your D-Link Devices
 
Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
 
Please note that this is a device beta software, beta firmware, or hot-fix release which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an “as is” and “as available” basis and the user assumes all risk and liability for use thereof. D-Link does not provide any warranties, whether express or implied, as to the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the beta firmware.
 
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.