Vigil@nce: Linux kernel, memory leak via AppleTalk and IPDDP
September 2009 by Vigil@nce
When the appletalk module is loaded, a network attacker can send
AppleTalk packets, in order to generate a denial of service.
– Severity: 2/4
– Consequences: denial of service of computer
– Provenance: intranet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 14/09/2009
– Revision date: 17/09/2009
IMPACTED PRODUCTS
– Linux kernel
– Red Hat Enterprise Linux
DESCRIPTION OF THE VULNERABILITY
The IPDDP protocol (ipddp module) is used to encapsulate IP
packets in an AppleTalk session (appletalk module). Associated
devices are named ipddp0, ipddp1, etc.
When:
– the appletalk module is loaded, and
– the ipddp module is not loaded, and
– the computer receives an AppleTalk+IPDDP packet,
then, the handle_ip_over_ddp() function of the net/appletalk/ddp.c
file tries to access to ipddp0 which does not exists, and then
does not call kfree_skb() to free memory. A remote attacker can
thus progressively force the kernel to use all the available
memory.
When the appletalk module is loaded, a network attacker can
therefore send AppleTalk packets, in order to generate a denial of
service.
CHARACTERISTICS
– Identifiers: 522331, BID-36379, CVE-2009-2903, DOC-19077,
VIGILANCE-VUL-9021
– Url: http://vigilance.fr/vulnerability/Linux-kernel-memory-leak-via-AppleTalk-and-IPDDP-9021