The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: denial of service of SCTP-AUTH

Synthesis of the vulnerability 

A local attacker can read the kernel memory or stop the system via SCTP-AUTH.
Impacted software: Debian, Linux, Mandriva Linux, openSUSE, RHEL.
Severity of this computer vulnerability: 1/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/09/2008.
Revisions dates: 08/10/2008, 30/12/2008.
Références of this announce: BID-31121, BID-31634, CERTA-2002-AVI-192, CERTA-2002-AVI-206, CVE-2008-3792, CVE-2008-4113, CVE-2008-4445, DSA-1636-1, DSA-1655-1, MDVSA-2008:223, RHSA-2008:0857-02, SUSE-SA:2008:053, TKADV2008-007, VIGILANCE-VUL-8104.

Description of the vulnerability 

The SCTP protocol (Stream Control Transmission Protocol) creates associations to send several streams. The draft-ietf-tsvwg-sctp-auth-08 draft defines the AUTH extension containing HMAC authentication data.

However, the SCTP-AUTH implementation (enabled with net.sctp.auth_enable) of the Linux kernel is incorrect:
 - If it is disabled, its usage dereferences a NULL pointer, which stops the system. [severity:1/4; CVE-2008-3792, TKADV2008-007]
 - If it is enabled, an attacker can use the SCTP_HMAC_IDENT ioctl to read a memory fragment. [severity:1/4; CVE-2008-4113, TKADV2008-007]
 - If it is enabled, an attacker can use the SCTP_AUTH_HMAC_ID_MAX ioctl to read a memory fragment. [severity:1/4; CVE-2008-4445]

A local attacker can therefore read the kernel memory or stop the system via SCTP-AUTH.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability impacts software or systems such as Debian, Linux, Mandriva Linux, openSUSE, RHEL.

Our Vigil@nce team determined that the severity of this weakness bulletin is low.

The trust level is of type confirmed by the editor, with an origin of user shell.

This bulletin is about 3 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this weakness.

Solutions for this threat 

Linux kernel: version 2.6.27.
Version 2.6.27 is corrected:
  http://www.kernel.org/

Linux kernel: version 2.6.26.4.
Version 2.6.26.4 is corrected:
  ftp://ftp.kernel.org/pub/linux/kernel/v2.6/

Linux kernel: version 2.6.25.17.
Version 2.6.25.17 is corrected:
  http://www.kernel.org/

Debian 4.0r4: new linux-2.6.24 packages.
New packages are available:
  http://security.debian.org/pool/updates/main/l/linux-2.6.24/*-2.6.24_2.6.24-6~etchnhalf.6_*.deb

Debian: new linux-2.6.24 packages.
New packages are available:
  http://security.debian.org/pool/updates/main/l/linux-2.6.24/*_2.6.24-6~etchnhalf.5_*.deb

Mandriva 2008.1: new kernel packages.
New packages are available:
 Mandriva Linux 2008.1: kernel-2.6.24.7-2mnb1

RHEL 5 MRG: new kernel packages.
New packages are available:
  kernel-rt-2.6.24.7-81.el5rt

SUSE: new kernel packages.
New packages are available:
  http://download.opensuse.org/pub/opensuse/update/11.0/rpm/i586/kernel-*-2.6.25.18-0.2.*.rpm
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities database. The Vigil@nce vulnerability database contains several thousand vulnerabilities.