Vigil@nce - Linux kernel: denial of service via Netfilter Conntrack Ext
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send some packets requiring a complex analysis by
Netfilter Conntrack, in order to trigger a denial of service of
the Linux kernel.
Impacted products: Debian, Linux, netfilter, Ubuntu
Severity: 2/4
Creation date: 08/04/2015
DESCRIPTION OF THE VULNERABILITY
The Linux kernel uses the Netfilter firewall, which implements the
connection tracking in Conntrack.
The nf_ct_ext structure stores extensions required to track some
protocols. However, the size of these extensions is stored in an 8
bit integer, whereas the cumulated size can be larger than 256
bytes in some cases (PPTP + NAT). Netfilter then tries to read an
unreachable memory area, which triggers a fatal error.
An attacker can therefore send some packets requiring a complex
analysis by Netfilter Conntrack, in order to trigger a denial of
service of the Linux kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-Netfilter-Conntrack-Ext-16553