J-Security Center

Title: Multiple Vendor IRDP Vulnerability

Severity: MODERATE

Description:

[This discussion is verbatim from the LHI Advisory referenced in the "Reference Section" of this vulnerability entry with very few changes]

The ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines. By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server. This results in higher susceptibility to denial of service, passive snooping and man in the middle attacks. While Windows2000 does indeed have IRDP enabled by default, it is less vulnerable as it is impossible to give it a route that is preferred over the default route obtained via DHCP.

SunOS systems will also intentionally use IRDP under specific conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started if the following conditions are met:

The system is a host, not a router.
The system did not learn a default gateway from a DHCP server.
The system does not have any static routes.
The system does not have a valid /etc/defaultrouter file.

Affected Products:

  • Microsoft Windows 98 a
  • Microsoft Windows 98 b
  • Microsoft Windows 98SE
  • Sun Solaris 2.6
  • Sun Solaris 2.6_x86

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.