Linux kernel IPv6 crash due to router advertisement flooding

2014.03.08
Credit: Sabrina Dubroca
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-2309
CWE: N/A


CVSS Base Score: 6.1/10
Impact Subscore: 6.9/10
Exploitability Subscore: 6.5/10
Exploit range: Adjacent network
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

The Linux kernel is vulnerable to a crash on hosts that accept router advertisements. An unlimited number of routes can be created from router advertisements. A remote attacker in the same layer 2 segment can cause a crash from memory exhaustion by flooding router advertisements to a target machine. https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=c88507fbad8055297c1d1e21e599f46960cbee39 http://patchwork.ozlabs.org/patch/327515/ diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 11dac21e6586..fba54a407bb2 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -1513,7 +1513,7 @@ int ip6_route_add(struct fib6_config *cfg) if (!table) goto out; - rt = ip6_dst_alloc(net, NULL, DST_NOCOUNT, table); + rt = ip6_dst_alloc(net, NULL, (cfg->fc_flags & RTF_ADDRCONF) ? 0 : DST_NOCOUNT, table); if (!rt) { err = -ENOMEM;

References:

https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=c88507fbad8055297c1d1e21e599f46960cbee39
http://patchwork.ozlabs.org/patch/327515/
http://seclists.org/oss-sec/2014/q1/526


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top