Vigil@nce - FreeBSD: denial of service via SCTP
August 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A remote attacker can send a special SCTP packet to FreeBSD, in
order to stop the kernel.
Severity: 2/4
Creation date: 06/08/2012
IMPACTED PRODUCTS
– FreeBSD
DESCRIPTION OF THE VULNERABILITY
The SCTP (Stream Control Transmission Protocol) protocol is used
to transfer messages to several recipients.
The chunk SCTP ASCONF (Address Configuration Change, RFC 5061)
changes IP addresses. However, if this chunk uses the INADDR_ANY
(all addresses) IPv4 address, the sctp_findassoc_by_vtag()
function of the FreeBSD kernel sets a NULL pointer, which is then
dereferenced in sctp_process_control().
A remote attacker can therefore send a special SCTP packet to
FreeBSD, in order to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-denial-of-service-via-SCTP-11823