NetBSD-Announce archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

NetBSD Security Advisory 2011-004: Kernel stack overflow via nested IPCOMP packet

Hash: SHA1

                 NetBSD Security Advisory 2011-004

Topic:          Kernel stack overflow via nested IPCOMP packet

Version:        NetBSD-current:         source prior to April 1st, 2011
                NetBSD 5.0.*:           affected
                NetBSD 5.0:             affected
                NetBSD 5.1:             affected
                NetBSD 4.0.*:           affected
                NetBSD 4.0:             affected

Severity:       remote DOS, possible memory corruption

Fixed:          NetBSD-current:         April 1st, 2011
                NetBSD-5-0 branch:      April 3rd, 2011
                        (5.0.3 will include the fix)
                NetBSD-5-1 branch:      April 3rd, 2011
                        (5.1.1 will include the fix)
                NetBSD-5 branch:        April 3rd, 2011
                NetBSD-4-0 branch:      April 3rd, 2011
                NetBSD-4 branch:        April 3rd, 2011

Please note that NetBSD releases prior to 4.0 are no longer supported.
It is recommended that all users upgrade to a supported release.


A malicious packet containing nested RFC 3173 - IP Payload Compression
Protocol (IPComp) headers can cause a panic due to kernel stack exhaustion
in a kernel with option IPSEC enabled. Under certain conditions, kernel
memory may get overwritten. In kernels with option FAST_IPSEC a sufficient
quantity of such packets may cause a denial of service.

This vulnerability has been assigned CVE-2011-1547.

Technical Details

The option IPSEC stack recurses through packet headers, expecting them to be
ESP/AH-IPCOMP-payload. Due to compression, an IPCOMP-IPCOMP-... packet may
contain a lot of headers, so attempting to recurse over all of them may
exhaust kernel stack, triggering a panic. 
The kernel stack may overflow into other memory, causing memory corruption;
on amd64 and i386 (and some other architectures) option DIAGNOSTIC in the
kernel will prevent this corruption, causing a faster panic instead.

The IPv4 FAST_IPSEC stack merely iterates through the packet headers so
there is no ressource exhaustion by one packet, but a quine packet may
essentially iterate eternally, and thus bind ressources. With FAST_IPSEC,
there needs to be a SA configured for ipcomp to be admitted at all.

Neither IPSEC nor FAST_IPSEC are enabled in NetBSD kernels by default.

Solutions and Workarounds

Workaround: If you do not expect plain ipcomp packets, filter out
incoming proto ipcomp packets (using either ipfilter, pf or npf).
This is not sufficient if you need to allow IPSEC and cannot trust
your IPSEC peers.

Fix: Patch, recompile, and reinstall the kernel, then reboot.


  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/sys/netinet6/ipcomp_input.c         1.37
  netbsd-5-0    src/sys/netinet6/ipcomp_input.c
  netbsd-5-1    src/sys/netinet6/ipcomp_input.c
  netbsd-5      src/sys/netinet6/ipcomp_input.c
  netbsd-4-0    src/sys/netinet6/ipcomp_input.c
  netbsd-4      src/sys/netinet6/ipcomp_input.c


  CVS branch    file                                    revision
  ------------- ----------------                        --------
  HEAD          src/sys/netipsec/xform_ipcomp.c         1.26
  netbsd-5-0    src/sys/netipsec/xform_ipcomp.c
  netbsd-5-1    src/sys/netipsec/xform_ipcomp.c
  netbsd-5      src/sys/netipsec/xform_ipcomp.c
  netbsd-4-0    src/sys/netipsec/xform_ipcomp.c
  netbsd-4      src/sys/netipsec/xform_ipcomp.c

The following instructions briefly summarize how to update and
recompile the kernel. In these instructions, replace:

  VERSION  with the fixed version from the appropriate CVS branch
           (from the above table)
  FILE     with the name of the file from the above table
  ARCH     with your architecture (from uname -m), and
  KERNCONF with the name of your kernel configuration file.

To update from CVS, re-build, and re-install the kernel:

        # cd src
        # cvs update -r VERSION FILE
        # ./ kernel=KERNCONF
        # cp sys/arch/ARCH/compile/obj/KERNCONF/netbsd /
        # mv /netbsd /netbsd.old && mv / /netbsd

then reboot:

        # shutdown -r now

For more information on how to do this, see:

Thanks To

Thanks to Tavis Ormandy, Google Security Team, for finding the issue.

Revision History

        2011-04-07      Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2011, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2011-004.txt,v 1.1 2011/04/06 22:06:57 tonnerre Exp $

Version: GnuPG v1.4.11 (NetBSD)


Home | Main Index | Thread Index | Old Index