Vigil@nce: Linux kernel, denial of service via REJECT
April 2009 by Marc Jacob
SYNTHESIS OF THE VULNERABILITY
When the system is configured as a router, an attacker can send
packets destined to a REJECT route in order to create a denial of
service.
Severity: 2/4
Consequences: denial of service of computer
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 01/04/2009
IMPACTED PRODUCTS
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The "route" command can be used to add a route of type REJECT :
route add -net 192.168.3.0/24 reject
In this case, the kernel rejects all packets destined to this
route, and sends an ICMP Host Unreachable message to the sender.
Each route is memorized in a cache (destination IP address and
path). However, when the system had received 64k
(/proc/sys/net/ipv4/route/max_size) different IP addresses, an
error in the cache blocks the IP stack. The system then cannot
send packets.
When the system is configured as a router, an attacker can
therefore send packets destined to a REJECT route in order to
create a denial of service.
CHARACTERISTICS
Identifiers: 485163, BID-34084, CVE-2009-0778, RHSA-2009:0326-01,
VIGILANCE-VUL-8582
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-REJECT-8582