Bug 57661 (CVE-2004-0626)

Summary:	VUL-0: CVE-2004-0626: remote DOS in netfilter tcp_find_option
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Thomas Biege <thomas>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Critical
Priority:	P3 - Medium	CC:	kukuk, patch-request, rf, security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0626: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	proposed fix for both ipv4 and ipv6

Description Marcus Meissner 2004-07-01 19:16:04 UTC

======================================================                           
Candidate: CAN-2004-0626                                                         
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0626                 
Final-Decision:                                                                  
Interim-Decision:                                                                
Modified:                                                                        
Proposed:                                                                        
Assigned: 20040630                                                               
Category: SF                                                                     
Reference: BUGTRAQ:20040630 Remote DoS vulnerability in Linux kernel 2.6.x       
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108861141304495&w=2     
                                                                                 
The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, 
when using iptables and TCP options rules, allows remote attackers to cause a 
denial of service (CPU consumption by infinite loop) via a large option length 
that produces a negative integer after a casting operation to the char type. 
 
The URL above contains a 1 liner patch. 
 
The issue is public.

Comment 1 Marcus Meissner 2004-07-01 19:16:04 UTC

<!-- SBZ_reproduce  -->
n.a.

Comment 2 Marcus Meissner 2004-07-01 19:18:34 UTC

SuSEFirewall2 is using --tcp-options by default, so a SUSE 2.6 kernel with 
enabled firewall is most likely vulnerable.

Comment 3 Thorsten Kukuk 2004-07-01 19:24:22 UTC

Move to SLES for better tracking.

Comment 4 Thorsten Kukuk 2004-07-01 19:25:31 UTC

We should try to get this fixed during the next 3 hours, so that 
our update kernel for tomorrow contains the fix already.

Comment 5 Marcus Meissner 2004-07-01 19:52:51 UTC

the very same problem is in net/ipv6/netfilter/ip6_tables.c  I think. 
 
please apply the same patch t here. (char -> u_int8_t)

Comment 6 Marcus Meissner 2004-07-01 19:57:43 UTC

errrm, we use --log-tcp-options ... not --tcp-options directly in SUSEfirewall

Comment 7 Hubert Mantel 2004-07-01 20:06:16 UTC

Marcus, can you please send me the fixes for both ipv4 and ipv6?
Dowe also need something for kernel 2.4?

Comment 8 Hubert Mantel 2004-07-01 20:15:09 UTC

Created attachment 21858 [details]
proposed fix for both ipv4 and ipv6

I'm going to add this fix. If somebody disagrees, please speak ASAP!

Comment 9 Marcus Meissner 2004-07-01 20:16:35 UTC

looks good to me.

Comment 10 Hubert Mantel 2004-07-01 20:22:14 UTC

Fixed kernel has been submitted for check in.

Comment 11 Marcus Meissner 2004-07-01 20:34:20 UTC

2.4 kernel does not have that code, and i briefly checked its tcp options 
handling in both v4 and v6 netfilter, it uses u_int8_t, so it seems safe.

Comment 12 Marcus Meissner 2004-07-01 22:13:44 UTC

the v6 part has a an additional seperate CAN: CAN-2004-0592

Comment 13 Thomas Biege 2004-07-05 16:11:02 UTC

packages approved

Comment 14 Thomas Biege 2009-10-13 20:27:38 UTC

CVE-2004-0626: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)