Vigil@nce: Linux kernel, denial of service via SCTP INIT
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can send a special SCTP INIT/INIT-ACK packet, in order to stop the kernel.
Creation date: 12/04/2011
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol uses chunks of type:
0 : Payload Data (DATA)
1 : Initialization (INIT)
2 : Initialization Acknowledgment (INIT-ACK)
9 : Operation Error (ERROR)
The sctp_make_init() and sctp_make_init_ack() functions create INIT and INIT-ACK packets. However, the padding of auth_hmacs and auth_chunks field are not counted in the packet size. This error leads to a call to the BUG() macro which stops the kernel.
A local attacker can therefore send a SCTP INIT/INIT-ACK packet with hmacs/chunks fields, in order to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN