The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Linux kernel: denial of service via IGMP

Synthesis of the vulnerability 

An attacker can send several IGMP packets, in order to stop the Linux kernel.
Vulnerable systems: Linux, openSUSE, RHEL, StoneGate Firewall, StoneGate SSL VPN, ESX.
Severity of this threat: 2/4.
Creation date: 10/01/2012.
Références of this weakness: 77853, BID-51343, CERTA-2012-AVI-479, CVE-2012-0207, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, openSUSE-SU-2012:0799-1, openSUSE-SU-2012:1439-1, RHSA-2012:0107-01, RHSA-2012:0168-01, RHSA-2012:0333-01, RHSA-2012:0350-01, RHSA-2012:0422-01, VIGILANCE-VUL-11264, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability 

The IGMP (Internet Group Management Protocol) protocol is used to define multicast groups. There are three versions:
 - IGMP v1 : RFC 1112
 - IGMP v2 : RFC 2236
 - IGMP v3 : RFC 3376

Routers (Querier) periodically send Membership Query packets to query the list of groups on the network. Clients have a maximal duration to reply:
 - IGMP v1 : 10 seconds
 - IGMP v2 : indicated in the MaxRespTime field of the query
 - IGMP v3 : idem, but with a different encoding

The Linux kernel memorizes the version of Queriers located on the network. So, if an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel changes its behavior.

The igmp_heard_query() function of the Linux processes received queries, and starts a Timer in order to reply later (unless another client replied before). The Timer duration depends on the IGMP version. When an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel uses the MaxRespTime field. However, if this field is zero, a division (modulo) by zero occurs.

An attacker can therefore send several IGMP packets, in order to stop the Linux kernel.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Linux, openSUSE, RHEL, StoneGate Firewall, StoneGate SSL VPN, ESX.

Our Vigil@nce team determined that the severity of this computer weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability.

Solutions for this threat 

Linux kernel: version 3.2.1.
The version 3.2.1 is corrected:
  http://www.kernel.org/pub/linux/kernel/v3.0/

Linux kernel: version 3.1.9.
The version 3.1.9 is corrected:
  http://www.kernel.org/pub/linux/kernel/v3.0/

Linux kernel: version 3.0.17.
The version 3.0.17 is corrected:
  http://www.kernel.org/pub/linux/kernel/v3.0/

Linux kernel: patch for IGMP.
A patch is available in information sources.

Stonesoft StoneGate Firewall/VPN: version 5.3.4.
The version 5.3.4 is corrected:
  http://www.stonesoft.com/

openSUSE 11.4: new kernel packages (05/11/2012).
New packages are available:
  kernel-2.6.37.6-24.1

openSUSE 11.4: new kernel packages (28/06/2012).
New packages are available:
  kernel-2.6.37.6-0.20.1

RHEL 5: new kernel packages.
New packages are available:
  kernel-2.6.18-274.18.1.el5

RHEL 5 RHEV: new rhev-hypervisor5 packages.
New packages are available:
  RHEV Hypervisor for RHEL-5:
    rhev-hypervisor5-5.8-20120202.0.el5

RHEL 6 MRG: new kernel-rt packages.
New packages are available:
MRG Realtime for RHEL 6 Server v.2:
  kernel-rt-3.0.18-rt34.53.el6rt

RHEL 6: new kernel packages.
New packages are available:
  kernel-2.6.32-220.7.1.el6

RHEL 6 RHEV: new rhev-hypervisor6 packages.
New packages are available:
  rhev-hypervisor6-6.2-20120320.0.el6_2

VMware ESX 4.0: patch ESX400-201209001.
A patch is available:
  ESX400-201209001
  http://kb.vmware.com/kb/2019661

VMware ESX: version 4.1 Update 3.
The version 4.1 Update 3 is corrected:
  http://kb.vmware.com/kb/2020362
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities analysis. The technology watch team tracks security threats targeting the computer system.