Vigil@nce: Solaris, denial of service via n2cp
June 2009 by Vigil@nce
An attacker can use an invalid key size in order to generate a
memory leak in n2cp.
Severity: 1/4
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/06/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The n2cp driver uses cryptographic features of the UltraSPARC-T2
processor.
HMAC algorithms are used to compute a hash based on a key and on a
standard hashing algorithm. The n2cp driver offers HMACs based on
MD5, SHA-1 and SHA-256. The size of the key depends on the size of
the block of the algorithm (16, 20 and 32).
When the size of the key is greater than 32, an error occurs in
n2cp, and the memory area used to store the HMAC context is never
freed.
An attacker can therefore use a long key size in order to generate
a memory leak in n2cp.
CHARACTERISTICS
Identifiers: 258828, 6784968, 6786946, VIGILANCE-VUL-8811
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-n2cp-8811