OpenBSD have recently had to change their motto ‘Only one remote exploit in 10 years’ to ‘Only two remote holes in the default install, in more than 10 years’ following the disclosure of a remotely exploitable vulnerability in the systems IPv6 data handling. The issue was discovered by security consulting firm Core Security. The vulnerability is contained in the OpenBSD kernels IPv6 packet handling whereby a specially crafted and fragmented ICMP packet will cause memory corruption. This memory corruption can be used to execute arbitrary code at the kernel level causing a complete system compromise. The attack could also be used to deny access to services provided by the OpenBSD machine by inducing a kernel panic.

Default OpenBSD systems are vulnerable as IPv6 support is enabled by default in the GENERIC kernel build and the packet filter firewall does not filter inbound IPv6 packets.

OpenBSD have released a security fix for versions 4.0 and 3.9 while also advising users to add the rule “block in inet6” to their Packet Filter configuration in the event that patches cannot be applied immediately.