Executive Summary

Summary
Title KAME project IPv6 IPComp header denial of service vulnerability
Informations
Name VU#110947 First vendor Publication 2008-02-06
Vendor VU-CERT Last vendor Modification 2008-02-27
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#110947

KAME project IPv6 IPComp header denial of service vulnerability

Overview

The KAME project's IPv6 implementation does not properly process IPv6 packets that contain the IPComp header. If exploited, this vulnerability may allow an attacker to cause a vulnerable system to crash.

I. Description

Per RFC 3173:

    IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways ("nodes") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links.


Systems that have IPv6 networking derived from the KAME project IPv6 implementationmay not properly process IPv6 packets that contain an IPComp header. An attacker can exploit this vulnerability by sending an IPv6 packet with a IPComp header to a vulnerable system.

II. Impact

A remote, unauthenticated attacker can cause a vulnerable system to crash.

III. Solution

See the systems affected section of this document for a partial list of affected vendors. Administrators who compile their kernel from source should see http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37 for more information.

Restrict access

Until updates can be applied, using a packet-filtering firewall to block IPv6 packets that contain the IPComp header may prevent this vulnerability from being exploited by remote attackers.

Systems Affected

VendorStatusDate Updated
3com, Inc.Unknown30-Nov-2007
AlcatelUnknown30-Nov-2007
Apple Computer, Inc.Vulnerable27-Feb-2008
AT&TUnknown30-Nov-2007
Avaya, Inc.Unknown30-Nov-2007
Avici Systems, Inc.Unknown30-Nov-2007
Borderware TechnologiesNot Vulnerable30-Jan-2008
BroUnknown30-Nov-2007
CentOSUnknown21-Jan-2008
Charlotte's Web NetworksUnknown30-Nov-2007
Check Point Software TechnologiesUnknown30-Nov-2007
Chiaro Networks, Inc.Unknown30-Nov-2007
Cisco Systems, Inc.Not Vulnerable8-Feb-2008
ClavisterUnknown30-Nov-2007
Computer AssociatesNot Vulnerable1-Feb-2008
Computer Associates eTrust Security ManagementNot Vulnerable1-Feb-2008
Conectiva Inc.Unknown30-Nov-2007
Cray Inc.Unknown30-Nov-2007
D-Link Systems, Inc.Unknown30-Nov-2007
Data Connection, Ltd.Unknown30-Nov-2007
Debian GNU/LinuxNot Vulnerable6-Feb-2008
EMC CorporationUnknown30-Nov-2007
Engarde Secure LinuxUnknown30-Nov-2007
Enterasys NetworksUnknown30-Nov-2007
EricssonUnknown30-Nov-2007
eSoft, Inc.Unknown30-Nov-2007
Extreme NetworksUnknown30-Nov-2007
F5 Networks, Inc.Unknown30-Nov-2007
Fedora ProjectUnknown30-Nov-2007
Force10 Networks, Inc.Vulnerable6-Feb-2008
Fortinet, Inc.Unknown30-Nov-2007
Foundry Networks, Inc.Unknown30-Nov-2007
FreeBSD, Inc.Vulnerable27-Feb-2008
FujitsuUnknown30-Nov-2007
Gentoo LinuxUnknown30-Nov-2007
Global Technology AssociatesNot Vulnerable12-Dec-2007
Hewlett-Packard CompanyUnknown30-Nov-2007
HitachiNot Vulnerable1-Feb-2008
HyperchipUnknown30-Nov-2007
IBM CorporationNot Vulnerable6-Feb-2008
IBM Corporation (zseries)Unknown30-Nov-2007
IBM eServerUnknown30-Nov-2007
Ingrian Networks, Inc.Unknown30-Nov-2007
Intel CorporationUnknown1-Feb-2008
Internet Security Systems, Inc.Not Vulnerable6-Feb-2008
IntotoNot Vulnerable8-Feb-2008
IP FilterUnknown30-Nov-2007
Juniper Networks, Inc.Vulnerable7-Feb-2008
KAME ProjectVulnerable7-Feb-2008
Linksys (A division of Cisco Systems)Unknown30-Nov-2007
Linux Kernel ArchivesNot Vulnerable13-Feb-2008
Lucent TechnologiesUnknown30-Nov-2007
Luminous NetworksUnknown30-Nov-2007
m0n0wallUnknown30-Nov-2007
Mandriva, Inc.Unknown30-Nov-2007
McAfeeNot Vulnerable12-Dec-2007
Microsoft CorporationUnknown30-Nov-2007
MontaVista Software, Inc.Unknown30-Nov-2007
Multinet (owned Process Software Corporation)Unknown30-Nov-2007
Multitech, Inc.Unknown30-Nov-2007
NEC CorporationUnknown30-Nov-2007
NetBSDVulnerable12-Dec-2007
netfilterUnknown30-Nov-2007
Network Appliance, Inc.Unknown30-Nov-2007
NextHop Technologies, Inc.Unknown30-Nov-2007
NokiaUnknown5-Feb-2008
Nortel Networks, Inc.Unknown30-Nov-2007
Novell, Inc.Not Vulnerable1-Feb-2008
OpenBSDUnknown30-Nov-2007
Openwall GNU/*/LinuxUnknown30-Nov-2007
PC-BSDUnknown5-Feb-2008
QNX, Software Systems, Inc.Vulnerable1-Feb-2008
RadWare, Inc.Unknown5-Feb-2008
Red Hat, Inc.Unknown30-Nov-2007
Redback Networks, Inc.Not Vulnerable5-Feb-2008
Riverstone Networks, Inc.Unknown30-Nov-2007
Secure Computing Network Security DivisionNot Vulnerable12-Dec-2007
Secureworx, Inc.Unknown30-Nov-2007
Silicon Graphics, Inc.Unknown30-Nov-2007
Slackware Linux Inc.Unknown30-Nov-2007
SmoothWallNot Vulnerable12-Dec-2007
SnortUnknown30-Nov-2007
Sony CorporationUnknown30-Nov-2007
SourcefireUnknown30-Nov-2007
StonesoftUnknown30-Nov-2007
Sun Microsystems, Inc.Not Vulnerable6-Feb-2008
SUSE LinuxUnknown30-Nov-2007
Symantec, Inc.Unknown30-Nov-2007
The SCO GroupNot Vulnerable12-Dec-2007
TippingPoint, Technologies, Inc.Not Vulnerable12-Dec-2007
Trustix Secure LinuxUnknown30-Nov-2007
TurbolinuxUnknown30-Nov-2007
UbuntuUnknown30-Nov-2007
UnisysUnknown30-Nov-2007
Watchguard Technologies, Inc.Unknown30-Nov-2007
Wind River Systems, Inc.Unknown30-Nov-2007
ZyXELUnknown30-Nov-2007

References


http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37
http://www.kame.net/
http://www.ietf.org/rfc/rfc3173.txt
http://secunia.com/advisories/28816/
http://secunia.com/advisories/28788/
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1
http://jvn.jp/cert/JVNVU%23110947/
http://www.milw0rm.com/exploits/5191

Credit

Thanks to Shoichi Sakane of the KAME project for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

Date Public02/06/2008
Date First Published02/06/2008 07:05:57 AM
Date Last Updated02/27/2008
CERT Advisory 
CVE NameCVE-2008-0177
US-CERT Technical Alerts 
Metric4.39
Document Revision35

Original Source

Url : http://www.kb.cert.org/vuls/id/110947

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

ExploitDB Exploits

id Description
2008-02-26 Apple Mac OS X xnu <= 1228.3.13 - IPv6-ipcomp Remote kernel DoS PoC

OpenVAS Exploits

Date Description
2010-05-12 Name : Mac OS X 10.5.3 Update / Mac OS X Security Update 2008-003
File : nvt/macosx_upd_10_5_3_secupd_2008-003.nasl
2009-11-17 Name : Mac OS X Version
File : nvt/macosx_version.nasl
2008-09-04 Name : FreeBSD Security Advisory (FreeBSD-SA-08:04.ipsec.asc)
File : nvt/freebsdsa_ipsec2.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
41111 KAME Project kame/sys/netinet6/ipcomp_input.c ipcomp6_input() Function Malfor...

The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header.

Nessus® Vulnerability Scanner

Date Description
2008-05-29 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_5_3.nasl - Type : ACT_GATHER_INFO
2008-05-29 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2008-003.nasl - Type : ACT_GATHER_INFO