Vigil@nce: Solaris, denial of service of SCTP
July 2009 by Vigil@nce
An attacker can send a sequence of SCTP packets in order to
corrupt the memory of the kernel, which leads to a denial of
service and eventually to code execution.
Severity: 2/4
Consequences: user access/rights, denial of service of computer
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/07/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The SCTP protocol (Stream Control Transmission Protocol) can be
used to send several streams in the same session. When some
packets were not received by the receiver, it sends SACK
(Selective Acknowledgement) packets, to acknowledge parts of
received data.
The sctp_got_sack() function of src/uts/common/inet/sctp/sctp_input.c
handles received SCTP SACK data. However, this function does not
check if the sequence number of missing packets is superior to
data already acknowledged. This SACK packet is thus handled, and
corrupts the memory.
An attacker can therefore send a sequence of SCTP packets in order
to corrupt the memory of the kernel, which leads to a denial of
service and eventually to code execution.
CHARACTERISTICS
Identifiers: 253608, 6766767, BID-35712, CVE-2009-2486,
VIGILANCE-VUL-8869
http://vigilance.fr/vulnerability/Solaris-denial-of-service-of-SCTP-8869