Vigil@nce: OpenSolaris, denial of service via SCTP
April 2009 by Vigil@nce
Under OpenSolaris, a local attacker can use a SCTP socket in order
to panic the kernel.
– Severity: 1/4
– Consequences: denial of service of computer
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 21/04/2009
IMPACTED PRODUCTS
– OpenSolaris
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol (Stream Control Transmission Protocol) can be
used to send several streams in the same session.
A local user can create a SCTP socket and use the SO_RCVBUF option
to define the size of the reception buffer. However, the
"sopp_rxhiwat" field ("recv high water mark") is not updated.
When the socket is closed, an error then occurs in the
sosctp_close() and sctp_sack() functions. This error panics the
kernel.
Under OpenSolaris, a local attacker can therefore use a SCTP
socket in order to panic the kernel.
CHARACTERISTICS
– Identifiers: 257331, 6796351, VIGILANCE-VUL-8657
– Url: http://vigilance.fr/vulnerability/OpenSolaris-denial-of-service-via-SCTP-8657
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2