===================================================================== CERT-Renater Note d'Information No. 2008/VULN025 _____________________________________________________________________ DATE : 08/02/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running KAME project's IPv6 implementation. ====================================================================== http://www.kb.cert.org/vuls/id/110947 ______________________________________________________________________ US-CERT Vulnerability Note VU#110947 KAME project IPv6 IPComp header denial of service vulnerability Overview The KAME project's IPv6 implementation does not properly process IPv6 packets that contain the IPComp header. If exploited, this vulnerability may allow an attacker to cause a vulnerable system to crash. I. Description Per RFC 3173: IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways ("nodes") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links. Systems that have IPv6 networking derived from the KAME project IPv6 implementation may not properly process IPv6 packets that contain an IPComp header. An attacker can exploit this vulnerability by sending an IPv6 packet with a IPComp header to a vulnerable system. II. Impact A remote, unauthenticated attacker can cause a vulnerable system to crash. III. Solution See the systems affected section of this document for a partial list of affected vendors. Administrators who compile their kernel from source should see http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37 for more information. Restrict access Until updates can be applied, using a packet-filtering firewall to block IPv6 packets that contain the IPComp header may prevent this vulnerability from being exploited by remote attackers. Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 30-Nov-2007 Alcatel Unknown 30-Nov-2007 Apple Computer, Inc. Unknown 30-Nov-2007 AT&T Unknown 30-Nov-2007 Avaya, Inc. Unknown 30-Nov-2007 Avici Systems, Inc. Unknown 30-Nov-2007 Borderware Technologies Not Vulnerable 30-Jan-2008 Bro Unknown 30-Nov-2007 CentOS Unknown 21-Jan-2008 Charlotte's Web Networks Unknown 30-Nov-2007 Check Point Software Technologies Unknown 30-Nov-2007 Chiaro Networks, Inc. Unknown 30-Nov-2007 Cisco Systems, Inc. Unknown 30-Nov-2007 Clavister Unknown 30-Nov-2007 Computer Associates Not Vulnerable 1-Feb-2008 Computer Associates eTrust Security Management Not Vulnerable 1-Feb-2008 Conectiva Inc. Unknown 30-Nov-2007 Cray Inc. Unknown 30-Nov-2007 D-Link Systems, Inc. Unknown 30-Nov-2007 Data Connection, Ltd. Unknown 30-Nov-2007 Debian GNU/Linux Not Vulnerable 6-Feb-2008 EMC Corporation Unknown 30-Nov-2007 Engarde Secure Linux Unknown 30-Nov-2007 Enterasys Networks Unknown 30-Nov-2007 Ericsson Unknown 30-Nov-2007 eSoft, Inc. Unknown 30-Nov-2007 Extreme Networks Unknown 30-Nov-2007 F5 Networks, Inc. Unknown 30-Nov-2007 Fedora Project Unknown 30-Nov-2007 Force10 Networks, Inc. Vulnerable 6-Feb-2008 Fortinet, Inc. Unknown 30-Nov-2007 Foundry Networks, Inc. Unknown 30-Nov-2007 FreeBSD, Inc. Vulnerable 6-Feb-2008 Fujitsu Unknown 30-Nov-2007 Gentoo Linux Unknown 30-Nov-2007 Global Technology Associates Not Vulnerable 12-Dec-2007 Hewlett-Packard Company Unknown 30-Nov-2007 Hitachi Not Vulnerable 1-Feb-2008 Hyperchip Unknown 30-Nov-2007 IBM Corporation Not Vulnerable 6-Feb-2008 IBM Corporation (zseries) Unknown 30-Nov-2007 IBM eServer Unknown 30-Nov-2007 Ingrian Networks, Inc. Unknown 30-Nov-2007 Intel Corporation Unknown 1-Feb-2008 Internet Security Systems, Inc. Not Vulnerable 6-Feb-2008 Intoto Unknown 30-Nov-2007 IP Filter Unknown 30-Nov-2007 Juniper Networks, Inc. Vulnerable 7-Feb-2008 KAME Project Vulnerable 7-Feb-2008 Linksys (A division of Cisco Systems) Unknown 30-Nov-2007 Lucent Technologies Unknown 30-Nov-2007 Luminous Networks Unknown 30-Nov-2007 m0n0wall Unknown 30-Nov-2007 Mandriva, Inc. Unknown 30-Nov-2007 McAfee Not Vulnerable 12-Dec-2007 Microsoft Corporation Unknown 30-Nov-2007 MontaVista Software, Inc. Unknown 30-Nov-2007 Multinet (owned Process Software Corporation) Unknown 30-Nov-2007 Multitech, Inc. Unknown 30-Nov-2007 NEC Corporation Unknown 30-Nov-2007 NetBSD Vulnerable 12-Dec-2007 netfilter Unknown 30-Nov-2007 Network Appliance, Inc. Unknown 30-Nov-2007 NextHop Technologies, Inc. Unknown 30-Nov-2007 Nokia Unknown 5-Feb-2008 Nortel Networks, Inc. Unknown 30-Nov-2007 Novell, Inc. Not Vulnerable 1-Feb-2008 OpenBSD Unknown 30-Nov-2007 Openwall GNU/*/Linux Unknown 30-Nov-2007 PC-BSD Unknown 5-Feb-2008 QNX, Software Systems, Inc. Vulnerable 1-Feb-2008 RadWare, Inc. Unknown 5-Feb-2008 Red Hat, Inc. Unknown 30-Nov-2007 Redback Networks, Inc. Not Vulnerable 5-Feb-2008 Riverstone Networks, Inc. Unknown 30-Nov-2007 Secure Computing Network Security Division Not Vulnerable 12-Dec-2007 Secureworx, Inc. Unknown 30-Nov-2007 Silicon Graphics, Inc. Unknown 30-Nov-2007 Slackware Linux Inc. Unknown 30-Nov-2007 SmoothWall Not Vulnerable 12-Dec-2007 Snort Unknown 30-Nov-2007 Sony Corporation Unknown 30-Nov-2007 Sourcefire Unknown 30-Nov-2007 Stonesoft Unknown 30-Nov-2007 Sun Microsystems, Inc. Not Vulnerable 6-Feb-2008 SUSE Linux Unknown 30-Nov-2007 Symantec, Inc. Unknown 30-Nov-2007 The SCO Group Not Vulnerable 12-Dec-2007 TippingPoint, Technologies, Inc. Not Vulnerable 12-Dec-2007 Trustix Secure Linux Unknown 30-Nov-2007 Turbolinux Unknown 30-Nov-2007 Ubuntu Unknown 30-Nov-2007 Unisys Unknown 30-Nov-2007 Watchguard Technologies, Inc. Unknown 30-Nov-2007 Wind River Systems, Inc. Unknown 30-Nov-2007 ZyXEL Unknown 30-Nov-2007 References http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37 http://www.kame.net/ http://www.ietf.org/rfc/rfc3173.txt http://secunia.com/advisories/28816/ http://secunia.com/advisories/28788/ http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1 http://jvn.jp/cert/JVNVU%23110947/ Credit Thanks to Shoichi Sakane of the KAME project for reporting this vulnerability. This document was written by Ryan Giobbi. Other Information Date Public 02/06/2008 Date First Published 02/06/2008 07:05:57 AM Date Last Updated 02/07/2008 CERT Advisory CVE Name CVE-2008-0177 US-CERT Technical Alerts Metric 4.39 Document Revision 32 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================