Background Print only logo
Cert logo
på svenska | in English 		www.viestintävirasto.fi
Etusivu | Varoitukset | Tietoturva nyt! | Haavoittuvuudet | Ohjeet | Katsaukset | Palvelut | Esitykset |

CERT-FI

PL 313
00181 Helsinki
Puh: 0295 390 230

Salausavaimet

Viestintävirasto

Itämerenkatu 3 A
00180 HELSINKI
Puh: 0295 390 100

Tarkat yhteystiedot

Tietoa evästeistä

CERT-FI Facebookissa

 Etusivu > Haavoittuvuudet > 2008 > CERT-FI Vulnerability Advisory on NetBSD

CERT-FI Vulnerability Advisory on NetBSD

Version Information

Advisory Reference FICORA #190172
Release Date 05 September 2008 08:00 UTC
Last Revision 05 September 2008
Version Number 1.1

Acknowledgement

Vulnerabilities were discovered by Miikka Saukko, Ossi Herrala and Jukka Taimisto from the CROSS project at Codenomicon Ltd., and reported directly to the vendor through CERT-FI.

What is Affected?

The vulnerabilities described in this advisory affect NetBSD versions 4.0 and -current.

Impact

The impact from vulnerabilities can expose a Denial-of-Service (DoS) condition.

Summary

There is a programming error leading to 'supervisor trap integer divide fault' and stopping of the NetBSD kernel when it receives malformed ICMPv6 MLD query.

Details

The problem occurs when NetBSD receives ICMPv6 MLD-QUERY packet which has Maximum-Response-Delay field set to value 0x0001 (We have verified that the fault occurs also with values 0x0002 - 0x0009). The fault occurs in function mld_input() (in src/sys/netinet6/mld6.c), when timeout value is calculated:

mld_timerresid(in6m) > (u_long)timer) {

in6m->in6m_timer = arc4random() %

(int)(((long)timer * hz) / 1000);

mld_starttimer(in6m);

The 'timer' variable contains the anomalious value from the MLD query received and it causes the

(int)(((long)timer * hz)/1000)

statement to have value 0. This in turn triggers the integer divide fault.


Solution

Patch the affected software with the patches supplied by the vendor.

Vendor Statements

NetBSD

The issue is covered in the advisory

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-011.txt.asc

KAME

Some recent KAME code has been found vulnerable

Juniper

Unknown

Apple

This issue does not affect shipping versions of Mac OS X.

FreeBSD

The bug was present in the source tree and has been fixed. However, neither i386, pc98, amd64 or sparc64 were affected in the currently supported branches and default configuration.


Credits

CERT-FI would like to thank Codenomicon for providing the vulnerability information and Adrian Portelli and Daniel Carosone of NetBSD for their co-operation.

Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use of our PGP key. The key is available at https://www.cert.fi/en/activities/contact/pgp-keys.html

Sivua päivitetty 05.09.2008   Tulostusversio Tulostusversio