Vigil@nce: Linux kernel, memory corruption of SCTP FWD-TSN
January 2009 by Vigil@nce
An attacker can use a SCTP packet of FORWARD TSN type in order to
corrupt the memory, leading to a denial of service or to code
execution.
– Gravity: 2/4
– Consequences: administrator access/rights, denial of service of
computer
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 05/01/2009
IMPACTED PRODUCTS
– Linux kernel
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol (Stream Control Transmission Protocol) can be
used to send one or several streams. The FORWARD TSN (RFC3758)
type is used to send the TSN (Transmission Sequence Number) in
order to go forward in the session.
The Linux kernel does not check the stream id received in FORWARD
TSN packets. This number is then used to access to the memory area
associated to the transmission.
An attacker can therefore use a SCTP packet of FORWARD TSN type in
order to corrupt the memory, leading to a denial of service or to
code execution.
CHARACTERISTICS
– Identifiers: 478800, BID-33113, CVE-2009-0065, VIGILANCE-VUL-8365
– Url: http://vigilance.fr/vulnerability/Linux-kernel-memory-corruption-of-SCTP-FWD-TSN-8365