How to remediate – Reachable IPv6 address

1. Introduction

The vulnerability ‘Reachable IPv6 address’ means a system has an externally accessible IPv6 address, even when primarily using IPv4 networking. This matters because it expands the attack surface and could allow unwanted connections to the host. Systems with both IPv4 and IPv6 enabled are usually affected. A successful connection could compromise confidentiality, integrity, or availability of data on the host.

2. Technical Explanation

The issue arises when network interfaces are configured with global scope IPv6 addresses alongside private IPv4 addresses. Firewalls may not always correctly filter traffic to these IPv6 addresses. An attacker could attempt direct connection attempts over IPv6, bypassing IPv4-focused security measures. There is no specific CVE associated with this general configuration issue. For example, an attacker on the internet might scan for and connect directly to a server’s IPv6 address if it’s publicly reachable, attempting services like SSH or RDP. Affected systems include those running any operating system supporting IPv6, such as Windows, Linux, and macOS.

• Root cause: Global scope IPv6 addresses configured on network interfaces despite not actively using IPv6 for communication.
• Exploit mechanism: An attacker attempts to connect directly to the host’s IPv6 address, exploiting any open ports or vulnerable services. A simple example is a port scan followed by an SSH brute-force attempt.
• Scope: All operating systems and network devices supporting IPv6 are potentially affected if global scope addresses are enabled without appropriate filtering.

3. Detection and Assessment

Confirming vulnerability involves checking for globally routable IPv6 addresses on the host. A quick check can identify active interfaces, while a thorough scan will reveal external reachability.

• Quick checks: Use ipconfig /all (Windows) or ifconfig -a (Linux/macOS) to list network interfaces and their addresses. Look for addresses that are not in the link-local range (fe80::/10).
• Scanning: Nessus plugin ID 13927 can identify reachable IPv6 addresses. OpenVAS also has relevant checks, but results may vary depending on scanner configuration.
• Logs and evidence: Firewall logs might show traffic to or from the host’s global IPv6 address. System logs may indicate IPv6 interface configuration changes.

ipconfig /all

4. Solution / Remediation Steps

Fixing this issue involves disabling unused IPv6 functionality or implementing appropriate filtering. These steps should be performed carefully to avoid disrupting network connectivity if IPv6 is in use.

4.1 Preparation

• Ensure a roll back plan exists by documenting current settings. A simple reversal of the steps below should restore functionality.
• A change window may be needed depending on network impact and approval processes.

4.2 Implementation

1. Step 1: Disable IPv6 if it is not actively used. On Windows, disable all IPv6 components in the Network Adapter properties.
2. Step 2: If IPv6 must remain enabled, disable any unused IPv6 interfaces using the network configuration tools of your operating system.
3. Step 3: Implement IP filtering on firewalls to block unwanted traffic to or from the host’s global IPv6 address.

4.3 Config or Code Example

Before

# Linux network interface configuration (example)
auto eth0
iface eth0 inet6 auto

After

# Linux network interface configuration (example)
auto eth0
iface eth0 inet6 manual 

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue and reduce the overall attack surface.

• Practice 1: Least privilege – only enable network services that are absolutely necessary, reducing potential entry points for attackers.
• Practice 2: Network segmentation – isolate systems with unnecessary IPv6 connectivity to limit the impact of a compromise.

4.5 Automation (Optional)

# PowerShell example to disable IPv6 on all network adapters
Get-NetAdapter | ForEach-Object {
  Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6
}

5. Verification / Validation

Confirm the fix by checking for the absence of globally routable IPv6 addresses and verifying that essential services still function.

• Post-fix check: Run ipconfig /all (Windows) or ifconfig -a (Linux/macOS). Ensure no global scope IPv6 addresses are listed, only link-local addresses (fe80::/10).
• Re-test: Re-run the Nessus plugin ID 13927 scan. The vulnerability should no longer be reported.
• Smoke test: Verify that essential network services like DNS resolution and web browsing still work as expected.
• Monitoring: Monitor firewall logs for any unexpected IPv6 traffic to or from the host.

ipconfig /all

6. Preventive Measures and Monitoring

Update security baselines and implement checks in CI/CD pipelines to prevent similar issues in the future.

• Baselines: Update your security baseline or policy to include a requirement for disabling unused IPv6 functionality (for example, CIS control 5.1).
• Asset and patch process: Review network configurations regularly as part of a vulnerability management program.

7. Risks, Side Effects, and Roll Back

Disabling IPv6 could impact applications that rely on it. Always have a roll back plan in place.

• Risk or side effect 1: Disabling IPv6 may break some applications if they are configured to use it.
• Risk or side effect 2: Incorrect firewall configuration can block legitimate traffic.
• Roll back:
  1. Step 1: Re-enable IPv6 components in the Network Adapter properties (Windows).
  2. Step 2: Enable any previously disabled IPv6 interfaces using your operating system’s network configuration tools.
  3. Step 3: Remove or adjust any firewall rules that were added to block IPv6 traffic.

8. References and Resources

• Vendor advisory or bulletin: N/A – This is a general configuration issue, not specific to one vendor.
• NVD or CVE entry: N/A – No specific CVE for this general case.
• Product or platform documentation relevant to the fix: Microsoft IPv6 Documentation