CVE-2006-0054
CVSS5.0
发布时间 :2006-01-11 16:03:00
修订时间 :2008-09-05 16:58:14
NMCOPS    

[原文]The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer.


[CNNVD]FreeBSD IPFW IP 远程拒绝服务漏洞(CNNVD-200601-109)

        FreeBSD 6.0-RELEASE中的ipfw防火墙,远程攻击者可以通过与重置、拒绝或取消连接操作匹配的ICMP IP片段(会导致访问未初始化的指针)使系统拒绝服务(防火墙崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:6.0:stable
cpe:/o:freebsd:freebsd:6.0:release

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0054
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0054
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-109
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/16209
(PATCH)  BID  16209
http://secunia.com/advisories/18378
(VENDOR_ADVISORY)  SECUNIA  18378
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-06:04
http://xforce.iss.net/xforce/xfdb/24073
(UNKNOWN)  XF  ipfw-icmp-fragment-dos(24073)
http://www.osvdb.org/22319
(UNKNOWN)  OSVDB  22319
http://securitytracker.com/id?1015477
(UNKNOWN)  SECTRACK  1015477

- 漏洞信息

FreeBSD IPFW IP 远程拒绝服务漏洞
中危 设计错误
2006-01-11 00:00:00 2006-01-13 00:00:00
远程  
        FreeBSD 6.0-RELEASE中的ipfw防火墙,远程攻击者可以通过与重置、拒绝或取消连接操作匹配的ICMP IP片段(会导致访问未初始化的指针)使系统拒绝服务(防火墙崩溃)。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        FreeBSD FreeBSD 6.0 -RELEASE
        FreeBSD ipfw.patch
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch
        FreeBSD FreeBSD 6.0 -STABLE
        FreeBSD ipfw.patch
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch

- 漏洞信息 (F43051)

FreeBSD-SA-06-04.ipfw.txt (PacketStormID:F43051)
2006-01-15 00:00:00
 
advisory,tcp
freebsd
CVE-2006-0054
[点击下载]

FreeBSD Security Advisory - ipfw maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-06:04.ipfw                                       Security Advisory
                                                          The FreeBSD Project

Topic:          ipfw IP fragment denial of service

Category:       core
Module:         ipfw
Announced:      2006-01-11
Credits:        Oleg Bulyzhin
Affects:        FreeBSD 6.0-RELEASE
Corrected:      2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
                2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
CVE Name:       CVE-2006-0054

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

ipfw(8) is a system facility which provides IP packet filtering,
accounting, and redirection. Among the many features, while discarding
packets it can perform actions defined by the user, such as sending
back TCP reset or ICMP unreachable packets. These operations can be
performed by using the reset, reject or uncreach actions.

II.  Problem Description

The firewall maintains a pointer to layer 4 header information in the
event that it needs to send a TCP reset or ICMP error message to
discard packets.  Due to incorrect handling of IP fragments, this
pointer fails to get initialized.

III. Impact

An attacker can cause the firewall to crash by sending ICMP IP
fragments to or through firewalls which match any reset, reject or
unreach actions.

IV.  Workaround

Change any reset, reject or unreach actions to deny. It should be
noted that this will result in packets being silently discarded.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.0
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:04/ipfw.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_6
  src/sys/netinet/ip_fw2.c                                      1.106.2.6
RELENG_6_0
  src/UPDATING                                              1.416.2.3.2.7
  src/sys/conf/newvers.sh                                    1.69.2.8.2.3
  src/sys/netinet/ip_fw2.c                                  1.106.2.3.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0054

The latest revision of this advisory is available at
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:04.ipfw.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDxL4vFdaIBMps37IRAmrZAJ4qRzdR0zR0u9ZY5RTTsMF5ZcGBUACfa5Gn
9kbuhOTex8BBlNFRHYCd9e4=
=WcS+
-----END PGP SIGNATURE-----
    

- 漏洞信息

22319
FreeBSD ipfw Layer 4 Tracking Fragmented IP Packet Remote DoS
Remote / Network Access Denial of Service
Loss of Availability

- 漏洞描述

FreeBSD contains a flaw that may allow a remote denial of service. The issue is triggered when a malicious attacker sends ICMP IP fragments to or through an ipfw firewall which match any reset, reject or unreach actions. Due to the incorrect handling of IP fragments, the pointer to layer 4 header information fails to get initialized, resulting in loss of availability for the platform.

- 时间线

2006-01-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 6.0-STABLE or or to the RELENG_6_0 security branch dated after the correction date, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

FreeBSD IPFW IP Fragment Remote Denial Of Service Vulnerability
Design Error 16209
Yes No
2006-01-11 12:00:00 2006-01-11 12:00:00
The vendor disclosed this issue.

- 受影响的程序版本

FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE

- 漏洞讨论

FreeBSD's IPFW is susceptible to a remote denial of service vulnerability. This issue is due to a flaw in affected kernels that results in an uninitialized kernel memory access when handling ICMP IP fragments.

This issue allows remote attackers to crash affected kernels, denying further network service to legitimate users.

- 漏洞利用

An exploit is not required.

- 解决方案

FreeBSD has released an advisory, along with a patch to address this issue. The FreeBSD-6.0-STABLE CVS tree has had fixes applied since 2006-01-11 08:03:18 UTC. Please see the referenced advisory for further information.


FreeBSD FreeBSD 6.0 -RELEASE

FreeBSD FreeBSD 6.0 -STABLE

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站