Vigil@nce: Linux kernel, denial of service via VLAN Priority
December 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A network attacker can send a VLAN packet with a priority, in
order to generate an error in netif_receive_skb(), which stops the
kernel.
– Severity: 2/4
– Creation date: 22/11/2011
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The 802.1Q VLAN header contains 4 bytes:
– 2 bytes : TPID (Tag Protocol Identifier) : EtherType 0x8100
– 3 bits : PCP (Priority Code Point) : priority level
– 1 bit : CFI (Canonical Format Indicator) : compatibility with
Token Ring
– 12 bits : VID (VLAN Identifier)
When the kernel receives a packet with a non zero PCP, and a zero
VID, the netif_receive_skb() function uses an invalid SKB (Socket
Kernel Buffer).
A network attacker can therefore send a VLAN packet with a
priority, in order to generate an error in netif_receive_skb(),
which stops the kernel.
This vulnerability may only impact the RHEL 6 kernel, but this is
not confirmed.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-VLAN-Priority-11174