Vigil@nce: Solaris, denial of service via IPv4 Forwarding
December 2008 by Vigil@nce
In a specific configuration, an attacker can send an IPv4 packet
in order to stop the system.
– Gravity: 2/4
– Consequences: denial of service of computer
– Provenance: internet client
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: low (1/3)
– Creation date: 16/12/2008
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION
A blockhole route (or null route) rejects its packets. To
configure such a route on Solaris, following commands are used:
route add -net 10.0.0.0/24 127.0.0.1 -blackhole
route add -host 10.1.0.1 127.0.0.1 -blackhole
All packets for the 10.0.0.0/24 network or the 10.1.0.1 host are
thus rejected.
However, the following configuration is vulnerable:
- the IPv4 route using 127.0.0.1 was created without the
"-blackhole" option, AND
- the patch 120011-14 (SPARC) or 120012-14 (x86) is installed.
Indeed, in this case, when the Solaris kernel receives a packet
for the rejected network, a NULL pointer is dereferenced. The
system then stops.
An attacker can therefore send an IPv4 packet in order to stop the
system.
CHARACTERISTICS
– Identifiers: 241126, 6478933, BID-32861, CVE-2008-5661,
VIGILANCE-VUL-8339
– Url: http://vigilance.fr/vulnerability/8339