__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN KAME Project IPv6 IPComp Vulnerability [US-CERT Vulnerability Note VU#110947] February 11, 2008 19:00 GMT Number S-170 ______________________________________________________________________________ PROBLEM: The KAME project's IPv6 implementation does not properly process IPv6 packets that contain the IPComp header. PLATFORM: IPv6 DAMAGE: Denial of service. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. If exploited, this vulnerability may allow an ASSESSMENT: attacker to cause a vulnerable system to crash. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-170.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/110947 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-0177 ______________________________________________________________________________ [***** Start US-CERT Vulnerability Note VU#110947 *****] Vulnerability Note VU#110947 KAME project IPv6 IPComp header denial of service vulnerability Overview The KAME project's IPv6 implementation does not properly process IPv6 packets that contain the IPComp header. If exploited, this vulnerability may allow an attacker to cause a vulnerable system to crash. I. Description Per RFC 3173: IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways ("nodes") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links. Systems that have IPv6 networking derived from the KAME project IPv6 implementation may not properly process IPv6 packets that contain an IPComp header. An attacker can exploit this vulnerability by sending an IPv6 packet with a IPComp header to a vulnerable system. II. Impact A remote, unauthenticated attacker can cause a vulnerable system to crash. III. Solution See the systems affected section of this document for a partial list of affected vendors. Administrators who compile their kernel from source should see http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1 =1.36;r2=1.37 for more information. Restrict access Until updates can be applied, using a packet-filtering firewall to block IPv6 packets that contain the IPComp header may prevent this vulnerability from being exploited by remote attackers. Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 30-Nov-2007 Alcatel Unknown 30-Nov-2007 Apple Computer, Inc. Unknown 30-Nov-2007 AT&T Unknown 30-Nov-2007 Avaya, Inc. Unknown 30-Nov-2007 Avici Systems, Inc. Unknown 30-Nov-2007 Borderware Technologies Not Vulnerable 30-Jan-2008 Bro Unknown 30-Nov-2007 CentOS Unknown 21-Jan-2008 Charlotte's Web Networks Unknown 30-Nov-2007 Check Point Software Technologies Unknown 30-Nov-2007 Chiaro Networks, Inc. Unknown 30-Nov-2007 Cisco Systems, Inc. Not Vulnerable 8-Feb-2008 Clavister Unknown 30-Nov-2007 Computer Associates Not Vulnerable 1-Feb-2008 Computer Associates eTrust Security Management Not Vulnerable 1-Feb-2008 Conectiva Inc. Unknown 30-Nov-2007 Cray Inc. Unknown 30-Nov-2007 D-Link Systems, Inc. Unknown 30-Nov-2007 Data Connection, Ltd. Unknown 30-Nov-2007 Debian GNU/Linux Not Vulnerable 6-Feb-2008 EMC Corporation Unknown 30-Nov-2007 Engarde Secure Linux Unknown 30-Nov-2007 Enterasys Networks Unknown 30-Nov-2007 Ericsson Unknown 30-Nov-2007 eSoft, Inc. Unknown 30-Nov-2007 Extreme Networks Unknown 30-Nov-2007 F5 Networks, Inc. Unknown 30-Nov-2007 Fedora Project Unknown 30-Nov-2007 Force10 Networks, Inc. Vulnerable 6-Feb-2008 Fortinet, Inc. Unknown 30-Nov-2007 Foundry Networks, Inc. Unknown 30-Nov-2007 FreeBSD, Inc. Vulnerable 6-Feb-2008 Fujitsu Unknown 30-Nov-2007 Gentoo Linux Unknown 30-Nov-2007 Global Technology Associates Not Vulnerable 12-Dec-2007 Hewlett-Packard Company Unknown 30-Nov-2007 Hitachi Not Vulnerable 1-Feb-2008 Hyperchip Unknown 30-Nov-2007 IBM Corporation Not Vulnerable 6-Feb-2008 IBM Corporation (zseries) Unknown 30-Nov-2007 IBM eServer Unknown 30-Nov-2007 Ingrian Networks, Inc. Unknown 30-Nov-2007 Intel Corporation Unknown 1-Feb-2008 Internet Security Systems, Inc. Not Vulnerable 6-Feb-2008 Intoto Not Vulnerable 8-Feb-2008 IP Filter Unknown 30-Nov-2007 Juniper Networks, Inc. Vulnerable 7-Feb-2008 KAME Project Vulnerable 7-Feb-2008 Linksys (A division of Cisco Systems) Unknown 30-Nov-2007 Lucent Technologies Unknown 30-Nov-2007 Luminous Networks Unknown 30-Nov-2007 m0n0wall Unknown 30-Nov-2007 Mandriva, Inc. Unknown 30-Nov-2007 McAfee Not Vulnerable 12-Dec-2007 Microsoft Corporation Unknown 30-Nov-2007 MontaVista Software, Inc. Unknown 30-Nov-2007 Multinet (owned Process Software Corporation) Unknown 30-Nov-2007 Multitech, Inc. Unknown 30-Nov-2007 NEC Corporation Unknown 30-Nov-2007 NetBSD Vulnerable 12-Dec-2007 netfilter Unknown 30-Nov-2007 Network Appliance, Inc. Unknown 30-Nov-2007 NextHop Technologies, Inc. Unknown 30-Nov-2007 Nokia Unknown 5-Feb-2008 Nortel Networks, Inc. Unknown 30-Nov-2007 Novell, Inc. Not Vulnerable 1-Feb-2008 OpenBSD Unknown 30-Nov-2007 Openwall GNU/*/Linux Unknown 30-Nov-2007 PC-BSD Unknown 5-Feb-2008 QNX, Software Systems, Inc. Vulnerable 1-Feb-2008 RadWare, Inc. Unknown 5-Feb-2008 Red Hat, Inc. Unknown 30-Nov-2007 Redback Networks, Inc. Not Vulnerable 5-Feb-2008 Riverstone Networks, Inc. Unknown 30-Nov-2007 Secure Computing Network Security Division Not Vulnerable 12-Dec-2007 Secureworx, Inc. Unknown 30-Nov-2007 Silicon Graphics, Inc. Unknown 30-Nov-2007 Slackware Linux Inc. Unknown 30-Nov-2007 SmoothWall Not Vulnerable 12-Dec-2007 Snort Unknown 30-Nov-2007 Sony Corporation Unknown 30-Nov-2007 Sourcefire Unknown 30-Nov-2007 Stonesoft Unknown 30-Nov-2007 Sun Microsystems, Inc. Not Vulnerable 6-Feb-2008 SUSE Linux Unknown 30-Nov-2007 Symantec, Inc. Unknown 30-Nov-2007 The SCO Group Not Vulnerable 12-Dec-2007 TippingPoint, Technologies, Inc. Not Vulnerable 12-Dec-2007 Trustix Secure Linux Unknown 30-Nov-2007 Turbolinux Unknown 30-Nov-2007 Ubuntu Unknown 30-Nov-2007 Unisys Unknown 30-Nov-2007 Watchguard Technologies, Inc. Unknown 30-Nov-2007 Wind River Systems, Inc. Unknown 30-Nov-2007 ZyXEL Unknown 30-Nov-2007 References http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1= 1.36;r2=1.37 http://www.kame.net/ http://www.ietf.org/rfc/rfc3173.txt http://secunia.com/advisories/28816/ http://secunia.com/advisories/28788/ http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with _tag=netbsd-3-1 http://jvn.jp/cert/JVNVU%23110947/ Credit Thanks to Shoichi Sakane of the KAME project for reporting this vulnerability. This document was written by Ryan Giobbi. Other Information Date Public 02/06/2008 Date First Published 02/06/2008 07:05:57 AM Date Last Updated 02/11/2008 CERT Advisory CVE Name CVE-2008-0177 US-CERT Technical Alerts Metric 4.39 Document Revision 33 [***** End US-CERT Vulnerability Note VU#110947 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-160: MySpace Uploader 'MySpaceUploader.ocx' ActiveX Control Vulnerability S-161: Livelink ECM UTF-7 Vulnerability S-162: Mozilla Products Vulnerabilities S-163: Simple DirectMedia Layer 1.2 Vulnerabilities S-164: Tk Vulnerability S-165: Yahoo! Music Jukebox YMP Datagrid ActiveX Vulnerabilities S-166: phpBB2 Vulnerabilities S-167: Linux-2.6 Vulnerabilities S-168: net-snmp Vulnerability S-169: Squid Vulnerability