Executive Summary

Summary
Title IPComp encapsulation nested payload vulnerability
Informations
Name VU#668220 First vendor Publication 2011-04-01
Vendor VU-CERT Last vendor Modification 2011-05-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#668220

IPComp encapsulation nested payload vulnerability

Overview

Some IPComp implementations may contain a kernel memory corruption vulnerability in their handling of nested encapsulation of IPComp payloads.

I. Description

RFC 3173 defines the IP Payload Compression Protocol (IPComp) as:

IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways ("nodes") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links.

IPComp is commonly used in conjunction with IPsec implementations.

Some network stack implementations, particularly those incorporating the KAME project or NetBSD project IPComp and IPsec implementations, may fail to check for stack overflow in their recursive handling of nested IPComp-encapsulated payloads. Exploitation of this vulnerability could allow a remote attacker to cause kernel memory corruption.

II. Impact

A remote attacker can cause a kernel stack overflow leading to a denial of service or possibly execute arbitrary code.

III. Solution

Apply a Patch from Your Vendor

Please see the Vendor Information below for specific vendor information and patches.

Workarounds

  • Filter IPComp (protocol number 108) at network borders if it is not required
  • Utilize packet filtering on workstations or servers to prevent the vulnerable code from being executed
  • Recompile affected software to disallow nested encapulation of IPComp payloads if possible

Vendor Information


Note that any systems derived from the KAME or NetBSD IPComp implementations may be vulnerable.
VendorStatusDate NotifiedDate Updated
3com IncUnknown2011-03-302011-03-30
ACCESSUnknown2011-03-302011-03-30
Alcatel-LucentUnknown2011-03-302011-03-30
Apple Inc.Not Affected2011-03-302011-04-05
AT&TUnknown2011-03-302011-03-30
Avaya, Inc.Unknown2011-03-302011-03-30
Barracuda NetworksUnknown2011-03-302011-03-30
Belkin, Inc.Unknown2011-03-302011-03-30
Blue Coat SystemsUnknown2011-03-302011-03-30
Borderware TechnologiesUnknown2011-03-302011-03-30
Charlotte's Web NetworksUnknown2011-03-302011-03-30
Check Point Software TechnologiesNot Affected2011-03-302011-04-04
Cisco Systems, Inc.Unknown2011-03-302011-03-30
ClavisterUnknown2011-03-302011-03-30
Computer AssociatesUnknown2011-03-302011-03-30
Conectiva Inc.Unknown2011-03-302011-03-30
Cray Inc.Unknown2011-03-302011-03-30
D-Link Systems, Inc.Unknown2011-03-302011-03-30
Debian GNU/LinuxUnknown2011-03-302011-03-30
DragonFly BSD ProjectUnknown2011-03-302011-03-30
EMC CorporationUnknown2011-03-302011-03-30
Engarde Secure LinuxUnknown2011-03-302011-03-30
Enterasys NetworksUnknown2011-03-302011-03-30
EricssonUnknown2011-03-302011-03-30
eSoft, Inc.Unknown2011-03-302011-03-30
Extreme NetworksUnknown2011-03-302011-03-30
F5 Networks, Inc.Unknown2011-03-302011-03-30
Fedora ProjectUnknown2011-03-302011-03-30
Force10 Networks, Inc.Affected2011-03-302011-04-19
Fortinet, Inc.Not Affected2011-03-302011-05-19
Foundry Networks, Inc.Unknown2011-03-302011-03-30
FreeBSD ProjectAffected2011-03-302011-04-01
FujitsuUnknown2011-03-302011-03-30
Gentoo LinuxUnknown2011-03-302011-03-30
Global Technology Associates, Inc.Unknown2011-03-302011-03-30
GoogleUnknown2011-03-302011-03-30
Hewlett-Packard CompanyUnknown2011-03-302011-03-30
HitachiUnknown2011-03-302011-03-30
IBM CorporationUnknown2011-03-302011-03-30
IBM Corporation (zseries)Unknown2011-03-302011-03-30
IBM eServerUnknown2011-03-302011-03-30
InfobloxUnknown2011-03-302011-03-30
Intel CorporationUnknown2011-03-302011-03-30
Internet Security Systems, Inc.Unknown2011-03-302011-03-30
IntotoUnknown2011-03-302011-03-30
IP Infusion, Inc.Unknown2011-03-302011-03-30
Juniper Networks, Inc.Not Affected2011-03-302011-04-04
m0n0wallUnknown2011-03-302011-03-30
Mandriva S. A.Unknown2011-03-302011-03-30
McAfeeUnknown2011-03-302011-03-30
Microsoft CorporationNot Affected2011-03-302011-04-01
MontaVista Software, Inc.Unknown2011-03-302011-03-30
NEC CorporationUnknown2011-03-302011-03-30
NetAppUnknown2011-03-302011-03-30
NetBSDAffected2011-03-302011-04-25
netfilterUnknown2011-03-302011-03-30
NokiaUnknown2011-03-302011-03-30
Nortel Networks, Inc.Unknown2011-03-302011-03-30
Novell, Inc.Unknown2011-03-302011-03-30
OpenBSDUnknown2011-03-302011-03-30
Openwall GNU/*/LinuxNot Affected2011-03-302011-04-01
Oracle CorporationNot Affected2011-03-302011-03-31
Palo Alto NetworksNot Affected2011-03-302011-04-12
PePLinkUnknown2011-03-302011-03-30
Process SoftwareUnknown2011-03-302011-03-30
Q1 LabsUnknown2011-03-302011-03-30
QNX Software Systems Inc.Unknown2011-03-302011-03-30
RadWare, Inc.Unknown2011-03-302011-03-30
Red Hat, Inc.Not Affected2011-03-302011-03-30
Redback Networks, Inc.Unknown2011-03-302011-03-30
SafeNetUnknown2011-03-302011-03-30
Secureworx, Inc.Unknown2011-03-302011-03-30
Silicon Graphics, Inc.Unknown2011-03-302011-03-30
Slackware Linux Inc.Unknown2011-03-302011-03-30
SmoothWallUnknown2011-03-302011-03-30
SnortUnknown2011-03-302011-03-30
Sony CorporationUnknown2011-03-302011-03-30
SourcefireUnknown2011-03-302011-03-30
StonesoftUnknown2011-03-302011-03-30
Sun Microsystems, Inc.Not Affected2011-03-302011-04-01
SUSE LinuxUnknown2011-03-302011-03-30
SymantecUnknown2011-03-302011-03-30
The SCO GroupUnknown2011-03-302011-03-30
TippingPoint Technologies Inc.Unknown2011-03-302011-03-30
TurbolinuxUnknown2011-03-302011-03-30
U4EA Technologies, Inc.Unknown2011-03-302011-03-30
UbuntuUnknown2011-03-302011-03-30
UnisysUnknown2011-03-302011-03-30
VMwareNot Affected2011-03-302011-04-01
VyattaUnknown2011-03-302011-03-30
Watchguard Technologies, Inc.Not Affected2011-03-302011-04-01
Wind River Systems, Inc.Not Affected2011-03-302011-04-12
ZyXELUnknown2011-03-302011-03-30

References

http://tools.ietf.org/html/rfc3173
http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html

Credit

Thanks to Tavis Ormandy of Google for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2011-04-01
Date First Published:2011-04-01
Date Last Updated:2011-05-19
CERT Advisory: 
CVE-ID(s):CVE-2011-1547
NVD-ID(s):CVE-2011-1547
US-CERT Technical Alerts: 
Severity Metric:54.77
Document Revision:36

Original Source

Url : http://www.kb.cert.org/vuls/id/668220

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 5

ExploitDB Exploits

id Description
2011-04-01 IPComp encapsulation pre-auth kernel memory corruption

Open Source Vulnerability Database (OSVDB)

Id Description
71418 NetBSD IPComp Header Payload Decompression Overflow

NetBSD is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack overflow. With a specially crafted packet containing a RFC3173 IPComp payload, a remote attacker can potentially execute arbitrary code.
71417 FreeBSD IPComp Payload Decompression Overflow

FreeBSD is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack overflow. With a specially crafted packet containing a RFC3173 IPComp payload, a remote attacker can potentially execute arbitrary code.