Login Sign Up

CVE-2021-45484

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in NetBSD's IPv6 implementation uses a weak cryptographic pseudo-random number generator (PRNG) for fragment ID generation, allowing attackers to predict fragment IDs and potentially bypass firewall rules or conduct denial-of-service attacks. It affects NetBSD systems with IPv6 enabled. The risk is highest for internet-facing systems using IPv6.

💻 Affected Systems

Products:
  • NetBSD
Versions: All versions through 9.2
Operating Systems: NetBSD
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with IPv6 enabled and using fragment reassembly. IPv4 is not affected.

📦 What is this software?

Netbsd by Netbsd

View all CVEs affecting Netbsd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could predict IPv6 fragment IDs to bypass firewall rules, conduct network-based attacks, or cause denial-of-service by exhausting system resources through crafted fragment traffic.

🟠

Likely Case

Network-based attackers could predict fragment sequences to bypass certain firewall configurations or conduct targeted attacks against IPv6-enabled services.

🟢

If Mitigated

With proper network segmentation and firewall rules limiting IPv6 fragment traffic, impact is reduced to potential information disclosure about fragment generation patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access and understanding of IPv6 fragmentation. The academic paper provides technical details but not weaponized exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NetBSD 9.3 and later

Vendor Advisory: http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2021-001.txt.asc

Restart Required: Yes

Instructions:

1. Update to NetBSD 9.3 or later. 2. Apply security patches if available for earlier versions. 3. Reboot the system to load the updated kernel.

🔧 Temporary Workarounds

Disable IPv6 fragment reassembly

all

Configure the system to drop IPv6 fragments or limit fragment reassembly

sysctl -w net.inet6.ip6.maxfrags=0
sysctl -w net.inet6.ip6.maxfragpackets=0

Implement network filtering

linux

Use firewall rules to drop or limit IPv6 fragment traffic

ip6tables -A INPUT -p ipv6 --fragment -j DROP

🧯 If You Can't Patch

  • Implement strict firewall rules to drop all IPv6 fragment traffic at network perimeter
  • Consider disabling IPv6 entirely if not required for operations

🔍 How to Verify

Check if Vulnerable:

Check NetBSD version: uname -a. If version is 9.2 or earlier, system is vulnerable if IPv6 is enabled.

Check Version:

uname -a

Verify Fix Applied:

Verify NetBSD version is 9.3 or later: uname -a. Check that security patches are applied.

📡 Detection & Monitoring

Log Indicators:

  • Unusual IPv6 fragment traffic patterns
  • Firewall logs showing fragment bypass attempts

Network Indicators:

  • High volume of IPv6 fragments from single sources
  • Predictable fragment ID sequences in network captures

SIEM Query:

source.ipv6 AND (protocol.fragment = true) AND (event.count > threshold)

📊 Metadata

CVE ID: CVE-2021-45484
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-338
Published: December 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45484, you might also want to check these:

CVE-2020-28642 9.8

CVE-2020-28642 is a critical vulnerability in InfiniteWP Admin Panel that allows remote attackers to...

Same vulnerability type (CWE-338)
CVE-2025-59390 9.8

Apache Druid's Kerberos authenticator uses a weak random fallback secret when cookieSignatureSecret ...

Same vulnerability type (CWE-338)
CVE-2026-2439 9.8

CVE-2026-2439 is a session ID generation vulnerability in Concierge::Sessions for Perl that allows a...

Same vulnerability type (CWE-338)