Login Sign Up

CVE-2022-27881

7.5 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

This is a heap buffer overflow vulnerability in OpenBSD's slaacd daemon, triggered by malicious IPv6 router advertisements containing more than seven nameserver entries. It affects OpenBSD systems with IPv6 enabled, potentially allowing remote code execution or denial of service. The vulnerability is mitigated by OpenBSD's privilege separation and pledge security mechanisms.

💻 Affected Systems

Products:
  • OpenBSD
Versions: 6.9 and 7.0 before 2022-02-21
Operating Systems: OpenBSD
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with IPv6 enabled and slaacd running (default on OpenBSD with IPv6)

📦 What is this software?

Openbsd by Openbsd

View all CVEs affecting Openbsd →

Openbsd by Openbsd

View all CVEs affecting Openbsd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Denial of service (slaacd crash) or limited code execution within pledge constraints

🟢

If Mitigated

Denial of service only, with privilege separation preventing full system compromise

🌐 Internet-Facing: MEDIUM - Requires IPv6 connectivity and malicious router advertisements, but IPv6 is commonly enabled
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they control router advertisements on the network

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploit requires crafting malicious IPv6 router advertisements; detailed analysis available in public blog posts

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenBSD 6.9-stable after 2022-02-21, 7.0-stable after 2022-02-21

Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/patches/

Restart Required: Yes

Instructions:

1. Apply the official patch from OpenBSD: 6.9: 030_slaacd.patch, 7.0: 014_slaacd.patch
2. Rebuild and reinstall slaacd
3. Restart the slaacd service or reboot the system

🔧 Temporary Workarounds

Disable IPv6 Router Advertisement Processing

openbsd

Prevent slaacd from processing router advertisements

rcctl disable slaacd
rcctl stop slaacd

Network Filtering

all

Block malicious router advertisements at network perimeter

Configure firewall to filter ICMPv6 type 134 packets with suspicious payloads

🧯 If You Can't Patch

  • Disable slaacd service entirely if IPv6 autoconfiguration is not required
  • Implement strict network segmentation to limit exposure to untrusted IPv6 networks

🔍 How to Verify

Check if Vulnerable:

Check OpenBSD version: uname -a. If version is 6.9 or 7.0 and patch date is before 2022-02-21, system is vulnerable

Check Version:

uname -a

Verify Fix Applied:

Verify patch is applied: pkg_info | grep slaacd or check if /usr/sbin/slaacd has been updated after 2022-02-21

📡 Detection & Monitoring

Log Indicators:

  • slaacd crash logs in /var/log/messages
  • Unexpected slaacd process termination

Network Indicators:

  • Malformed IPv6 router advertisements with >7 nameserver entries
  • ICMPv6 type 134 packets with abnormal payload sizes

SIEM Query:

source="*/messages" AND "slaacd" AND ("crash" OR "segmentation fault" OR "abnormal termination")

📊 Metadata

CVE ID: CVE-2022-27881
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-120
Published: March 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27881, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)