Vigil@nce - Linux kernel: denial of service via IGMP
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send several IGMP packets, in order to stop the
Linux kernel.
Severity: 2/4
Creation date: 10/01/2012
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The IGMP (Internet Group Management Protocol) protocol is used to
define multicast groups. There are three versions:
– IGMP v1 : RFC 1112
– IGMP v2 : RFC 2236
– IGMP v3 : RFC 3376
Routers (Querier) periodically send Membership Query packets to
query the list of groups on the network. Clients have a maximal
duration to reply:
– IGMP v1 : 10 seconds
– IGMP v2 : indicated in the MaxRespTime field of the query
– IGMP v3 : idem, but with a different encoding
The Linux kernel memorizes the version of Queriers located on the
network. So, if an IGMP v3 query is received, and if there are
IGMP v2 routers, the kernel changes its behavior.
The igmp_heard_query() function of the Linux processes received
queries, and starts a Timer in order to reply later (unless
another client replied before). The Timer duration depends on the
IGMP version. When an IGMP v3 query is received, and if there are
IGMP v2 routers, the kernel uses the MaxRespTime field. However,
if this field is zero, a division (modulo) by zero occurs.
An attacker can therefore send several IGMP packets, in order to
stop the Linux kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-IGMP-11264