===================================================================== CERT-Renater Note d'Information No. 2011/VULN284 _____________________________________________________________________ DATE : 04/04/2011 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running IPComp implementations. ====================================================================== http://www.kb.cert.org/vuls/id/668220 ______________________________________________________________________ Vulnerability Note VU#668220 IPComp encapsulation nested payload vulnerability Overview Some IPComp implementations may contain a kernel memory corruption vulnerability in their handling of nested encapsulation of IPComp payloads. I. Description RFC 3173 defines the IP Payload Compression Protocol (IPComp) as: IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways ("nodes") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links. IPComp is commonly used in conjunction with IPsec implementations. Some network stack implementations, particularly those incorporating the KAME project or NetBSD project IPComp and IPsec implementations, may fail to check for stack overflow in their recursive handling of nested IPComp-encapsulated payloads. Exploitation of this vulnerability could allow a remote attacker to cause kernel memory corruption. II. Impact A remote attacker can cause a kernel stack overflow leading to a denial of service or possibly execute arbitrary code. III. Solution Apply a Patch from Your Vendor Please see the Vendor Information below for specific vendor information and patches. Workarounds * Filter IPComp (protocol number 108) at network borders if it is not required * Utilize packet filtering on workstations or servers to prevent the vulnerable code from being executed * Recompile affected software to disallow nested encapulation of IPComp payloads if possible Vendor Information Note that any systems derived from the KAME or NetBSD IPComp implementations may be vulnerable. Vendor Status Date Notified Date Updated 3com Inc Unknown 2011-03-30 2011-03-30 ACCESS Unknown 2011-03-30 2011-03-30 Alcatel-Lucent Unknown 2011-03-30 2011-03-30 Apple Inc. Affected 2011-03-30 2011-03-30 AT&T Unknown 2011-03-30 2011-03-30 Avaya, Inc. Unknown 2011-03-30 2011-03-30 Barracuda Networks Unknown 2011-03-30 2011-03-30 Belkin, Inc. Unknown 2011-03-30 2011-03-30 Blue Coat Systems Unknown 2011-03-30 2011-03-30 Borderware Technologies Unknown 2011-03-30 2011-03-30 Charlotte's Web Networks Unknown 2011-03-30 2011-03-30 Check Point Software Technologies Unknown 2011-03-30 2011-03-30 Cisco Systems, Inc. Unknown 2011-03-30 2011-03-30 Clavister Unknown 2011-03-30 2011-03-30 Computer Associates Unknown 2011-03-30 2011-03-30 Conectiva Inc. Unknown 2011-03-30 2011-03-30 Cray Inc. Unknown 2011-03-30 2011-03-30 D-Link Systems, Inc. Unknown 2011-03-30 2011-03-30 Debian GNU/Linux Unknown 2011-03-30 2011-03-30 DragonFly BSD Project Unknown 2011-03-30 2011-03-30 EMC Corporation Unknown 2011-03-30 2011-03-30 Engarde Secure Linux Unknown 2011-03-30 2011-03-30 Enterasys Networks Unknown 2011-03-30 2011-03-30 Ericsson Unknown 2011-03-30 2011-03-30 eSoft, Inc. Unknown 2011-03-30 2011-03-30 Extreme Networks Unknown 2011-03-30 2011-03-30 F5 Networks, Inc. Unknown 2011-03-30 2011-03-30 Fedora Project Unknown 2011-03-30 2011-03-30 Force10 Networks, Inc. Unknown 2011-03-30 2011-03-30 Fortinet, Inc. Unknown 2011-03-30 2011-03-30 Foundry Networks, Inc. Unknown 2011-03-30 2011-03-30 FreeBSD Project Affected 2011-03-30 2011-04-01 Fujitsu Unknown 2011-03-30 2011-03-30 Gentoo Linux Unknown 2011-03-30 2011-03-30 Global Technology Associates, Inc. Unknown 2011-03-30 2011-03-30 Google Unknown 2011-03-30 2011-03-30 Hewlett-Packard Company Unknown 2011-03-30 2011-03-30 Hitachi Unknown 2011-03-30 2011-03-30 IBM Corporation Unknown 2011-03-30 2011-03-30 IBM Corporation (zseries) Unknown 2011-03-30 2011-03-30 IBM eServer Unknown 2011-03-30 2011-03-30 Infoblox Unknown 2011-03-30 2011-03-30 Intel Corporation Unknown 2011-03-30 2011-03-30 Internet Security Systems, Inc. Unknown 2011-03-30 2011-03-30 Intoto Unknown 2011-03-30 2011-03-30 IP Infusion, Inc. Unknown 2011-03-30 2011-03-30 Juniper Networks, Inc. Unknown 2011-03-30 2011-03-30 m0n0wall Unknown 2011-03-30 2011-03-30 Mandriva S. A. Unknown 2011-03-30 2011-03-30 McAfee Unknown 2011-03-30 2011-03-30 Microsoft Corporation Not Affected 2011-03-30 2011-04-01 MontaVista Software, Inc. Unknown 2011-03-30 2011-03-30 NEC Corporation Unknown 2011-03-30 2011-03-30 NetApp Unknown 2011-03-30 2011-03-30 NetBSD Affected 2011-03-30 2011-04-01 netfilter Unknown 2011-03-30 2011-03-30 Nokia Unknown 2011-03-30 2011-03-30 Nortel Networks, Inc. Unknown 2011-03-30 2011-03-30 Novell, Inc. Unknown 2011-03-30 2011-03-30 OpenBSD Unknown 2011-03-30 2011-03-30 Openwall GNU/*/Linux Not Affected 2011-03-30 2011-04-01 Oracle Corporation Not Affected 2011-03-30 2011-03-31 Palo Alto Networks Unknown 2011-03-30 2011-03-30 PePLink Unknown 2011-03-30 2011-03-30 Process Software Unknown 2011-03-30 2011-03-30 Q1 Labs Unknown 2011-03-30 2011-03-30 QNX Software Systems Inc. Unknown 2011-03-30 2011-03-30 RadWare, Inc. Unknown 2011-03-30 2011-03-30 Red Hat, Inc. Not Affected 2011-03-30 2011-03-30 Redback Networks, Inc. Unknown 2011-03-30 2011-03-30 SafeNet Unknown 2011-03-30 2011-03-30 Secureworx, Inc. Unknown 2011-03-30 2011-03-30 Silicon Graphics, Inc. Unknown 2011-03-30 2011-03-30 Slackware Linux Inc. Unknown 2011-03-30 2011-03-30 SmoothWall Unknown 2011-03-30 2011-03-30 Snort Unknown 2011-03-30 2011-03-30 Sony Corporation Unknown 2011-03-30 2011-03-30 Sourcefire Unknown 2011-03-30 2011-03-30 Stonesoft Unknown 2011-03-30 2011-03-30 Sun Microsystems, Inc. Not Affected 2011-03-30 2011-04-01 SUSE Linux Unknown 2011-03-30 2011-03-30 Symantec Unknown 2011-03-30 2011-03-30 The SCO Group Unknown 2011-03-30 2011-03-30 TippingPoint Technologies Inc. Unknown 2011-03-30 2011-03-30 Turbolinux Unknown 2011-03-30 2011-03-30 U4EA Technologies, Inc. Unknown 2011-03-30 2011-03-30 Ubuntu Unknown 2011-03-30 2011-03-30 Unisys Unknown 2011-03-30 2011-03-30 VMware Not Affected 2011-03-30 2011-04-01 Vyatta Unknown 2011-03-30 2011-03-30 Watchguard Technologies, Inc. Not Affected 2011-03-30 2011-04-01 Wind River Systems, Inc. Unknown 2011-03-30 2011-03-30 ZyXEL Unknown 2011-03-30 2011-03-30 References http://tools.ietf.org/html/rfc3173 http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html Credit Thanks to Tavis Ormandy of Google for reporting this vulnerability. This document was written by Michael Orlando. Other Information Date Public: 2011-04-01 Date First Published: 2011-04-01 Date Last Updated: 2011-04-01 CERT Advisory: CVE-ID(s): CVE-2011-1547 NVD-ID(s): CVE-2011-1547 US-CERT Technical Alerts: Severity Metric: 54,77 Document Revision: 30 If you have feedback, comments, or additional information about this vulnerability, please send us email. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================