The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type.

The remote host is affected by the vulnerability described in GLSA-200407-12 (Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling)

    An attacker can utilize an erroneous data type in the IPTables TCP option     handling code, which lies in an iterator. By making a TCP packet with a     header length larger than 127 bytes, a negative integer would be implied in     the iterator.
  Impact :

    By sending one malformed packet, the kernel could get stuck in a loop,     consuming all of the CPU resources and rendering the machine useless,     causing a Denial of Service. This vulnerability requires no local access.
  Workaround :

    If users do not use the netfilter functionality or do not use any     ``--tcp-option'' rules they are not vulnerable to this exploit. Users that     are may remove netfilter support from their kernel or may remove any     ``--tcp-option'' rules they might be using. However, all users are urged to     upgrade their kernels to patched versions.

The remote host is missing the patch for the advisory SUSE-SA:2004:020 (kernel).


Multiple security vulnerabilities are being addressed with this security update of the Linux kernel.

Kernel memory access vulnerabilities are fixed in the e1000, decnet, acpi_asus, alsa, airo/WLAN, pss and mpu401 drivers. These vulnerabilities can lead to kernel memory read access, write access and local denial of service conditions, resulting in access to the root account for an attacker with a local account on the affected system.

Missing Discretionary Access Control (DAC) checks in the chown(2) system call allow an attacker with a local account to change the group ownership of arbitrary files, which leads to root privileges on affected systems. It is specific to kernel version 2.6 based systems such as the SUSE Linux 9.1 product, that only local shell access is needed to exploit this vulnerability. An interesting variant of the missing checks is that the ownership of files in the /proc filesystem can be altered, while the changed ownership still does not allow the files to be accessed as a non-root user for to be able to exploit the vulnerability. Systems that are based on a version 2.4 kernel are not vulnerable to the /proc weakness, and exploitation of the weakness requires the use of the kernel NFS server (knfsd). If the knfsd NFS server is not activated (it is off by default), the vulnerability is not exposed. These issues related to the chown(2) system call have been discovered by Michael Schroeder and Ruediger Oertel, both SUSE LINUX.

The only network-related vulnerability fixed with the kernel updates that are subject to this announcement affect the SUSE Linux 9.1 distribution only, as it is based on a 2.6 kernel. Found and reported to bugtraq by Adam Osuchowski and Tomasz Dubinski, the vulnerability allows a remote attacker to send a specially crafted TCP packet to a vulnerable system, causing that system to stall if it makes use of TCP option matching netfilter rules.

In some rare configurations of the SUSE Linux 9.1 distribution, some users have experienced stalling systems during system startup. These problems are fixed with this kernel update.

This security update fixes the remote DoS possibility identified and fixed by Adam Osuchowski and Tomasz Dubinski in the netfilter code of the 2.6 kernel. Note that this remote DoS can only be triggered when using the rarely used '-p tcp --tcp-option' options in the netfilter firewall subsystem. Fedora Core 2 systems are not vulnerable unless the administrator manually configured this rarely used option.

For more information see http://www.securityfocus.com/archive/1/367615/2004-06-27/2004-07-03/0

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was possible to crash the remote host by sending a specially malformed TCP/IP packet with invalid TCP options. Only version 2.6 of the Linux kernel is known to be affected by this problem. An attacker may use this flaw to disable this host remotely.

ID	Name	Product	Family	Severity
14545	GLSA-200407-12 : Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling	Nessus	Gentoo Local Security Checks	medium
13836	SUSE-SA:2004:020: kernel	Nessus	SuSE Local Security Checks	high
13733	Fedora Core 2 : kernel-2.6.6-1.435.2.1 (2004-202)	Nessus	Fedora Local Security Checks	medium
12296	Linux 2.6 Netfilter TCP Option Matching DoS	Nessus	Denial of Service	medium

Detections

Analytics

CVE-2004-0626

high

Tenable Plugins

medium

high

medium

medium