• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Linux Kernel IGMP Multiple Vulnerabilities

Severity: CRITICAL

Description:

The Linux kernel supports Internet Group Management Protocol (IGMP). IGMP provides multicast functionality for Internet hosts. The Linux kernel includes basic support for IGMPv2 and IGMPv3 protocols. The kernel also provides both a module for IGMP/IP networking, and a socket API that provides multicasting functionality for user applications.

Linux kernel IGMP functionality is reported prone to multiple vulnerabilities. These issues can allow local attackers to carry out denial of service and privilege escalation attacks. Remote attackers may also cause denial of service conditions in vulnerable computers.

The first issue exists in the 'ip_mc_source()' function and may allow local attackers to cause a denial of service condition or gain elevated privileges. It is reported that the 'ip_mc_source()' function can be called through the API using the 'IP_(UN)BLOCK_SOURCE', 'IP_ADD/DROP_SOURCE_MEMBERSHIP', 'MCAST_(UN)BLOCK_SOURCE' and 'MCAST_JOIN/LEAVE_SOURCE_GROUP' options. Specifically, this issue can be exploited by decrementing the 'sl_count' counter of the 'ip_sf_socklist' structure to 0xffffffff (-1) and calling the 'ip_mc_source()' function. This causes the kernel to start a loop that leads to a hang, followed by a reboot due to the shifting of a kernel buffer by 4 bytes. It is conjectured that if properly exploited, this issue may allow local attackers to gain elevated privileges as well.

The second issue is related to the first issue and may allow an attacker to disclose sensitive kernel memory. It is reported that due to the previously reported flaw, an attacker can disclose large portions of kernel memory by following a buffer through the 'ip_mc_msfget()' and 'ip_mc_gsfget()' API functions.

The third vulnerability exists in the IGMP/IP networking module and may allow remote attackers to cause a denial of service condition in a vulnerable computer. It is reported that when an IGMP group query is received over the network, the IGMP/IP networking module calls the 'igmp_marksources()' function'. This function is vulnerable to an out of bounds memory access issue because the parameters of the IGMP message received by the computer are not properly verified. Specifically, this issue may be exploited through the 'ih3->nsrcs' parameter of 'igmp_marksources()' resulting in the function accessing memory outside of the allocated socket buffer containing the IGMP message.

This issue requires that a vulnerable Linux kernel is compiles for multicasting support and be able to process incoming IGMP packets. The vulnerable computer must be running an application bound to a multicast socket. If the attacker is able to send IGMP_HOST_MEMBERSHIP_QUERY messages (group queries) and is aware of the IGMP group, they may cause a crash in the kernel.

The IGMP/IP networking module must be compiled into the kernel for multicasting functionality. The socket API functionality is always available to user applications.

Affected Products:

• Astaro Security Linux 2.0.0 16
• Astaro Security Linux 2.0.0 23
• Avaya Intuity LX
• Avaya MN100
• Avaya Modular Messaging (MSS) 1.1.0
• Avaya Modular Messaging (MSS) 2.0.0
• CRUX CRUX Linux 1.0.0
• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 10.0.0
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• Conectiva Linux 9.0.0
• Conectiva Linux Enterprise Edition 1.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Devil-Linux Devil-Linux 1.0.4
• Devil-Linux Devil-Linux 1.0.5
• Easy Software Products CUPS 1.1.20
• Gentoo Linux 1.2.0
• Gentoo Linux 1.4.0
• Linux kernel 2.4.0
• Linux kernel 2.4.0 .0-test1
• Linux kernel 2.4.0 .0-test10
• Linux kernel 2.4.0 .0-test11
• Linux kernel 2.4.0 .0-test12
• Linux kernel 2.4.0 .0-test2
• Linux kernel 2.4.0 .0-test3
• Linux kernel 2.4.0 .0-test4
• Linux kernel 2.4.0 .0-test5
• Linux kernel 2.4.0 .0-test6
• Linux kernel 2.4.0 .0-test7
• Linux kernel 2.4.0 .0-test8
• Linux kernel 2.4.0 .0-test9
• Linux kernel 2.4.1
• Linux kernel 2.4.10
• Linux kernel 2.4.11
• Linux kernel 2.4.12
• Linux kernel 2.4.13
• Linux kernel 2.4.14
• Linux kernel 2.4.15
• Linux kernel 2.4.16
• Linux kernel 2.4.17
• Linux kernel 2.4.18
• Linux kernel 2.4.18 pre-1
• Linux kernel 2.4.18 pre-2
• Linux kernel 2.4.18 pre-3
• Linux kernel 2.4.18 pre-4
• Linux kernel 2.4.18 pre-5
• Linux kernel 2.4.18 pre-6
• Linux kernel 2.4.18 pre-7
• Linux kernel 2.4.18 pre-8
• Linux kernel 2.4.18 x86
• Linux kernel 2.4.19
• Linux kernel 2.4.19 -pre1
• Linux kernel 2.4.19 -pre2
• Linux kernel 2.4.19 -pre3
• Linux kernel 2.4.19 -pre4
• Linux kernel 2.4.19 -pre5
• Linux kernel 2.4.19 -pre6
• Linux kernel 2.4.2
• Linux kernel 2.4.20
• Linux kernel 2.4.21
• Linux kernel 2.4.21 pre1
• Linux kernel 2.4.21 pre4
• Linux kernel 2.4.21 pre7
• Linux kernel 2.4.22
• Linux kernel 2.4.23
• Linux kernel 2.4.23 -ow2
• Linux kernel 2.4.23 -pre9
• Linux kernel 2.4.24
• Linux kernel 2.4.24 -ow1
• Linux kernel 2.4.25
• Linux kernel 2.4.26
• Linux kernel 2.4.27
• Linux kernel 2.4.27 -pre1
• Linux kernel 2.4.27 -pre2
• Linux kernel 2.4.27 -pre3
• Linux kernel 2.4.27 -pre4
• Linux kernel 2.4.27 -pre5
• Linux kernel 2.4.28
• Linux kernel 2.4.3
• Linux kernel 2.4.4
• Linux kernel 2.4.5
• Linux kernel 2.4.6
• Linux kernel 2.4.7
• Linux kernel 2.4.8
• Linux kernel 2.4.9
• Linux kernel 2.6.0
• Linux kernel 2.6.0 -test1
• Linux kernel 2.6.0 -test10
• Linux kernel 2.6.0 -test11
• Linux kernel 2.6.0 -test2
• Linux kernel 2.6.0 -test3
• Linux kernel 2.6.0 -test4
• Linux kernel 2.6.0 -test5
• Linux kernel 2.6.0 -test6
• Linux kernel 2.6.0 -test7
• Linux kernel 2.6.0 -test8
• Linux kernel 2.6.0 -test9
• Linux kernel 2.6.0 -test9-CVS
• Linux kernel 2.6.1
• Linux kernel 2.6.1 -rc1
• Linux kernel 2.6.1 -rc2
• Linux kernel 2.6.2
• Linux kernel 2.6.3
• Linux kernel 2.6.4
• Linux kernel 2.6.5
• Linux kernel 2.6.6
• Linux kernel 2.6.6 rc1
• Linux kernel 2.6.7
• Linux kernel 2.6.7 rc1
• Linux kernel 2.6.8
• Linux kernel 2.6.8 rc1
• Linux kernel 2.6.8 rc2
• Linux kernel 2.6.8 rc3
• Linux kernel 2.6.9
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 2.1.0 x86_64
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 8.0.0
• MandrakeSoft Linux Mandrake 8.0.0 ppc
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Linux Mandrake 9.1.0
• MandrakeSoft Linux Mandrake 9.1.0 ppc
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Linux Mandrake 9.2.0 amd64
• MandrakeSoft Multi Network Firewall 2.0.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Advanced Workstation for the Itanium Processor 2.1.0 IA64
• RedHat Desktop 3.0.0
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core1
• RedHat Fedora Core2
• RedHat Fedora Core3
• RedHat Linux 7.1.0
• RedHat Linux 7.1.0 alpha
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.1.0 ia64
• RedHat Linux 7.2.0
• RedHat Linux 7.2.0 alpha
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.2.0 ia64
• RedHat Linux 7.3.0
• RedHat Linux 7.3.0 i386
• RedHat Linux 8.0.0
• RedHat Linux 9.0.0 i386
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.2.0
• S.u.S.E. Linux 7.3.0
• S.u.S.E. Linux 8.0.0
• S.u.S.E. Linux 8.1.0
• S.u.S.E. Linux Connectivity Server
• S.u.S.E. Linux Database Server
• S.u.S.E. Linux Enterprise Server 7
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Firewall on CD
• S.u.S.E. Linux Office Server
• S.u.S.E. Linux Openexchange Server
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.1.0 x86_64
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• S.u.S.E. SuSE eMail Server 3.1.0
• S.u.S.E. SuSE eMail Server III
• Slackware Linux -current
• Slackware Linux 8.0.0
• Slackware Linux 9.0.0
• Slackware Linux 9.1.0
• Sun Cobalt RaQ 550
• Sun Linux 5.0.0
• Sun Linux 5.0.3
• Sun Linux 5.0.5
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Trustix Secure Linux 2.2.0
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0
• Ubuntu Ubuntu Linux 4.1.0 ia32
• Ubuntu Ubuntu Linux 4.1.0 ia64
• Ubuntu Ubuntu Linux 4.1.0 ppc
• WOLK WOLK 4.4.0 s
• Xpdf Xpdf 3.0.0 0
• libpng libpng 1.0.15
• libpng libpng3 1.2.5

References:

• RedHat: RHSA-2005:092-14 - Important: kernel security update

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.