Vista - Weak IPv6 Security Leaves Computers Wide Open

Your precious firewall can't save you now!

Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.

A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.

Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein. “It's like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002 post from Lance Spitzer of the Honeynet project observed a hacker that broke in to a Solaris-based honeypot through normal means, enabled IPv6 connectivity in the OS, and then set up a tunnel out of the network that went into another country. The break-in was only discovered due to network packet-sniffing, and even then Spitzer says he was unable to decode the data being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act of tunneling often circumvents firewalls by nature.
“Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as it can – a widget on Command Interface’s web site estimates that the internet will run out of IPv4 addresses in about two and a half years – some fear that technological progress may be outpacing the security that keeps it safe.

Source:- DailyTech - Weak IPv6 Security Leaves Computers Wide Open

I'm not really surprised by the problems with IPV6, but I didn't know about this major security hole in IPV6.

The worst part of this, is that over 90 percent of the consumer routers on the market today, don't even support IPV6 and IPV6 security in anyway, people with consumer grade routers such as the Linksys WRTG54 are wide open, and don't even know it. I'm taking a pretty large guess with this.

Well, is this any different than when IPv4 was first introduced to the household? How many people who jumped on the broadband wagon in its initial stages even knew what a firewall was?

I agree that IPv6 is a problem - but I also say that this should in no way be surprising....

I just hope they get these issues straightened out and soon.

Doesn't the built-in Windows Firewall with Vista protect inbound traffic on IPV6 interfaces via the Advanced Security control under Administrative tools control panel?

The Windows Firewall might protect you on IPV6, but the majority of consumer routers in existance today don't. Right now anyone running just a hardware router, or just a software router could very well be wide open for the IPV6 vulnerability and not even know it.

What about disabling the IP Helper service? Since that service provides automatic IPv6 connectivity over an IPv4 network, wouldn't that close the hole?

Its lucky no Routers down in Australia come with IPV6 yet

it was one of the first things i disabled in Vista, ipv6 translation. In fact all new protocols/formats whatever which are not imperative for everyday use i disable as standard practice.
Haven't seen a new feature yet that was not bugridden/security hazard.

Is this the way to disable it? or is there anything else to do?