Vigil@nce - Linux kernel: denial of service via nf_ct_frag6_reasm
July 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the firewall uses the nf_conntrack_ipv6 module, a remote
attacker can send fragmented packets, in order to stop the kernel.
Severity: 2/4
Creation date: 10/07/2012
IMPACTED PRODUCTS
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The ip6tables nf_conntrack_ipv6 module is used to track IPv6/TCP
sessions.
When a router sends the message ICMPV6_PKT_TOOBIG, with a MTU
inferior to 1280, the following packets are fragmented, and
nf_conntrack_ipv6 reassembles them.
However, if the following packet is fragment as only one fragment,
the kernel nf_ct_frag6_reasm() function tries to access to the
second fragment, and dereferences a NULL pointer.
When the firewall uses the nf_conntrack_ipv6 module, a remote
attacker can therefore send fragmented packets, in order to stop
the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-nf-ct-frag6-reasm-11751