Wednesday, May 18, 2011

Linux Kernel 2.6.38 Remote NULL Pointer Dereference

Title: Linux kernel 2.6.38: Remote NULL pointer dereference

Release date: 11/05/2011

Last update: 11/05/2011

Credits:

Aristide Fattori, Università degli Studi di Milano (joystick (at) security.dico.unimi (dot) it [email concealed])

Roberto Paleari, Emaze Networks S.p.A (roberto.paleari (at) emaze (dot) net [email concealed])

[Vulnerability Information]

Class: Remote NULL pointer dereference

CVE:

[Affected Software]

We confirm the presence of this vulnerability in the following kernel versions:

- Linux kernel 2.6.38.6 (vanilla)

- Linux kernel 2.6.38.4 (vanilla)

- Linux kernel 2.6.38.3 (vanilla)

- Debian kernel image 2.6.38-2-686

Other Linux kernel versions could be also affected by this issue.

[Vulnerability Details]

In function icmp_send() (net/ipv4/icmp.c), the parameter passed to dev_net()

function is not properly validated. This can lead to a NULL pointer dereference

that crashes the kernel.

An attacker can exploit this bug and cause a DoS, both on a specific target or

on any 2.6.38.x machine connected to the local network. To cause the crash, the

attacker must flood the target with fragmented IPv4 packets. Important fields

in the IP packet are:

Read more: SecurityFocus

Posted via email from Jasper-Net