Vigil@nce - FreeBSD: read-write access via SCTP Stream ID
February 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a large SCTP Stream ID on FreeBSD, in
order to read or alter kernel memory data.
Impacted products: FreeBSD
Severity: 2/4
Creation date: 28/01/2015
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol is used to transport several message streams,
multiplexed over one connection.
The SCTP_SS_VALUE option of the SCTP socket is used to read or
modify the number of a stream. However, if this number is too
large, FreeBSD does not forbid the request, and accepts to read or
alter two bytes in memory.
A local attacker can therefore use a large SCTP Stream ID on
FreeBSD, in order to read or alter kernel memory data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeBSD-read-write-access-via-SCTP-Stream-ID-16069