Vigil@nce: Linux kernel, denial of service via SCTP INIT
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can send a special SCTP INIT/INIT-ACK packet, in
order to stop the kernel.
– Severity: 1/4
– Creation date: 12/04/2011
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol uses chunks of type:
– 0 : Payload Data (DATA)
– 1 : Initialization (INIT)
– 2 : Initialization Acknowledgment (INIT-ACK)
– 9 : Operation Error (ERROR)
– etc.
The sctp_make_init() and sctp_make_init_ack() functions create
INIT and INIT-ACK packets. However, the padding of auth_hmacs and
auth_chunks field are not counted in the packet size. This error
leads to a call to the BUG() macro which stops the kernel.
A local attacker can therefore send a SCTP INIT/INIT-ACK packet
with hmacs/chunks fields, in order to create a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-SCTP-INIT-10542