Linux SCTP Functionality Multiple Remote DoS

This script is Copyright (C) 2006-2014 Tenable Network Security, Inc.


Synopsis :

It is possible to crash the remote host by sending it a malformed SCTP
packet.

Description :

There is a flaw in the Linux kernel on the remote host that causes a
kernel panic when it receives an SCTP packet with a chunk data packet
of length 0. An attacker can leverage this flaw to crash the remote
host. Additionally, other types of crafted packets can cause a remote
denial of service in various SCTP related functions.

Note that successful exploitation of this issue requires that the
kernel support SCTP protocol connection tracking.

See also :

http://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024241.html
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.1
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.23
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.3

Solution :

Upgrade to Linux kernel 2.6.16.23 / 2.6.17.3 or later.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 5.8
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Denial of Service

Nessus Plugin ID: 21333 (linux_sctp_chunk_header_dos.nasl)

Bugtraq ID: 17806
18550
18755

CVE ID: CVE-2006-1527
CVE-2006-2934
CVE-2006-3085