Bugzilla – Bug 57661
VUL-0: CVE-2004-0626: remote DOS in netfilter tcp_find_option
Last modified: 2021-10-14 14:34:52 UTC
====================================================== Candidate: CAN-2004-0626 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0626 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040630 Category: SF Reference: BUGTRAQ:20040630 Remote DoS vulnerability in Linux kernel 2.6.x Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108861141304495&w=2 The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type. The URL above contains a 1 liner patch. The issue is public.
<!-- SBZ_reproduce --> n.a.
SuSEFirewall2 is using --tcp-options by default, so a SUSE 2.6 kernel with enabled firewall is most likely vulnerable.
Move to SLES for better tracking.
We should try to get this fixed during the next 3 hours, so that our update kernel for tomorrow contains the fix already.
the very same problem is in net/ipv6/netfilter/ip6_tables.c I think. please apply the same patch t here. (char -> u_int8_t)
errrm, we use --log-tcp-options ... not --tcp-options directly in SUSEfirewall
Marcus, can you please send me the fixes for both ipv4 and ipv6? Dowe also need something for kernel 2.4?
Created attachment 21858 [details] proposed fix for both ipv4 and ipv6 I'm going to add this fix. If somebody disagrees, please speak ASAP!
looks good to me.
Fixed kernel has been submitted for check in.
2.4 kernel does not have that code, and i briefly checked its tcp options handling in both v4 and v6 netfilter, it uses u_int8_t, so it seems safe.
the v6 part has a an additional seperate CAN: CAN-2004-0592
packages approved
CVE-2004-0626: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)