CVE-2008-2476 — Improper Input Validation in Vxworks

CWE-20 — Improper Input Validation6 documents6 sources

Severity

9.3CRITICALNVD

EPSS

10.5%

top 6.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Windriver Vxworks Freebsd Openbsd

Timeline

PublishedOct 3

Latest updateMay 3

Description

The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB).

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

▶NVDwindriver/vxworks6.4+2

▶NVDopenbsd/openbsd4.2, 4.3+1

Also affects: Freebsd 6.3, 7.1

🔴Vulnerability Details

GHSA

GHSA-xvw3-ghj5-vvrf: The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6↗2022-05-03

▶

CVEList

CVE-2008-2476: The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6↗2008-10-03

▶

📋Vendor Advisories

Juniper

CVE-2008-2476: The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before↗2008-10-03

▶

BSD

FreeBSD-SA-08:10.nd6: IPv6 Neighbor Discovery Protocol routing vulnerability↗2008-10-02

▶

Red Hat

CVE-2008-2476: The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6↗

▶