-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0018 Title: Linux Kernel Headroom Check 'udp6_ufo_fragment()' Remote Denial of Service Vulnerability [1] Version history: 22.11.2011 Initial publication Summary ======= The Linux kernel is prone to a remote denial-of-service vulnerability. To exploit this issue, attackers can use readily available network utilities. CVE-2011-4326(Candidate) Severity Level[3]: CVSS2 Base 7.8 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required To note also: CVE-2011-4330(Candidate) CVE-2011-4110(Candidate) CVE-2011-4112(Candidate) Potential impact ================ Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users. 1. An attacker locates a vulnerable computer. 2. An attacker crafts a malicious UDP packet designed to leverage this issue. 3. When the affected application processes the packet, the vulnerability is triggered. A successful attack will cause denial-of-service conditions. Vulnerable Systems ================== Among others: Linux kernel 2.6.32.1 to 2.6.32.18 Linux kernel 2.6.32.22 Linux kernel 2.6.32-rc1 to 2.6.32-rc3 Trustix Secure Enterprise Linux 2.0.0 Trustix Secure Linux 2.0.0 Trustix Secure Linux 2.1.0 Trustix Secure Linux 2.2.0 Linux kernel 2.6.32-rc4 cpe:/o:linux:kernel:2.6.32:rc4 SYMC Linux kernel 2.6.32-rc5 cpe:/o:linux:kernel:2.6.32:rc5 SYMC Trustix Secure Enterprise Linux 2.0.0 Trustix Secure Linux 2.0.0 Trustix Secure Linux 2.1.0 Trustix Secure Linux 2.2.0 Linux kernel 2.6.32x Linux kernel 2.6.33x Linux kernel 2.6.34x Linux kernel 2.6.35x Linux kernel 2.6.36x Linux kernel 2.6.37x Linux kernel 2.6.38x Linux kernel 2.6.39x Linux kernel 2.6.4 to 2.6.7 Linux kernel 2.6.32.28 Linux kernel 2.6.37-rc1 Linux kernel 2.6.37-rc2 Linux kernel 2.6.38x Linux kernel 2.6.33-rc7 Linux kernel 2.6.36-rc4 What can you do? ================ Solutions: Fixes are available [2]. Work-arounds: Block external access at the network boundary, unless external parties require service. Filter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.linux.org/ [2] http://comments.gmane.org/gmane.comp.security.oss.general/6294 [3] CVSS details: CVSS Version 2 Scores CVSS2 Base 7.8 CVSS2 Temporal 6.4 CVSS2 Base Vector AV:N/AC:L/Au:N/C:N/I:N/A:C CVSS2 Temporal VectorE:F/RL:OF/RC:C More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOy2dvOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MQ6xAAskZUK7nC BdEYZKstHPKsWlZHxnl1ZfNN9NygxEFrh3m3RKcPWGDB4w38JrW4M7vEKeD9VVpF 1V/tBOc4CXKQwCOL+OA/3h6N1NPaRjM2OW1ELuSa0Z96gwohPkCNvbjAn3US6w4q OGBX0dnHlWYvK5fiKh9NXr/oTYoWHgjZ9NLh6Iz5WovfboxUGCqYPqu65amav4Wt cYPr/kgmYBSoTnW1JXrzE5oGy8GTwsGp+N6eJp3cxOT9uzyaj4aOQeo3FZw2Lt0A J7xH0/tJG1P3OP8siwCsKkNgV1xl8q5wF7AwnKJNYRNA3K3o1qd6XQG5ytZh985j hooL6LcfYGfWy306TF4eejEc2mT5DXMC8frjT/W0LKATXQwExL0X57btcAH0jOox dWMoHT4vZ9OBr41gT1uGdzIUIIjj8b0Jl1y/4xbOXdmPo8cbfubQqM2z/DoKnrGk Wx+6a6ZVo4+fwUn5YYlbCFUQQ6oW2Nf4ifF3ttGWZHG73a472MRneRcvYBHGkNVA DdLl4EX6K5z1EHYe+q3rma7w8enNm/uiS94xZ1CWEy0KerFgnjez1mCt51LsRnS/ tOLUNAFfKwimcx59/4cM6fJF9RD3x53HvBi6JI4TEF1Lz4o6INLB5HC8HjZA2L0U fR8n8oAYWvvPDpr/03yuXh/Le5KrqGjKlQY= =PSFu -----END PGP SIGNATURE-----