GLSA-200407-12 : Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling
Medium Nessus Plugin ID 14545
SynopsisThe remote Gentoo host is missing one or more security-related patches.
DescriptionThe remote host is affected by the vulnerability described in GLSA-200407-12 (Linux Kernel: Remote DoS vulnerability with IPTables TCP Handling)
An attacker can utilize an erroneous data type in the IPTables TCP option handling code, which lies in an iterator. By making a TCP packet with a header length larger than 127 bytes, a negative integer would be implied in the iterator.
By sending one malformed packet, the kernel could get stuck in a loop, consuming all of the CPU resources and rendering the machine useless, causing a Denial of Service. This vulnerability requires no local access.
If users do not use the netfilter functionality or do not use any ``--tcp-option'' rules they are not vulnerable to this exploit. Users that are may remove netfilter support from their kernel or may remove any ``--tcp-option'' rules they might be using. However, all users are urged to upgrade their kernels to patched versions.
SolutionUsers are encouraged to upgrade to the latest available sources for their system:
# emerge sync # emerge -pv your-favorite-sources # emerge your-favorite-sources # # Follow usual procedure for compiling and installing a kernel.
# # If you use genkernel, run genkernel as you would do normally.