Vigil@nce: Linux kernel, denial of service via GRE/Tunnel
February 2010 by Vigil@nce
When the system starts, an attacker can send a tunneled packet, in order to stop the system.
Consequences: denial of service of computer
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 18/02/2010
DESCRIPTION OF THE VULNERABILITY
The Linux kernel implements several tunnel types :
GRE (Generic Routing Encapsulation) : net/ipv4/ip_gre.c
IP in IP : net/ipv4/ipip.c
IPv6 : net/ipv6/ip6_tunnel.c
IPv6 : net/ipv6/sit.c
IPv6 : net/ipv6/xfrm6_tunnel.c
When these protocols are compiled as kernel modules, and when a packet is received before the module loading, an error occurs in net_generic(), and stops the kernel.
When the system starts, an attacker can therefore send a tunneled packet, in order to stop the system.
Identifiers: BID-38301, BID-38303, VIGILANCE-VUL-9461