Vulnerability Note VU#668220

IPComp encapsulation nested payload vulnerability

Original Release date: 01 Apr 2011 | Last revised: 16 Aug 2011

Overview

Some IPComp implementations may contain a kernel memory corruption vulnerability in their handling of nested encapsulation of IPComp payloads.

Description

RFC 3173 defines the IP Payload Compression Protocol (IPComp) as:

IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways ("nodes") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links.

IPComp is commonly used in conjunction with IPsec implementations.

Some network stack implementations, particularly those incorporating the KAME project or NetBSD project IPComp and IPsec implementations, may fail to check for stack overflow in their recursive handling of nested IPComp-encapsulated payloads. Exploitation of this vulnerability could allow a remote attacker to cause kernel memory corruption.

Impact

A remote attacker can cause a kernel stack overflow leading to a denial of service or possibly execute arbitrary code.

Solution

Apply a Patch from Your Vendor
Please see the Vendor Information below for specific vendor information and patches.


Workarounds

    • Filter IPComp (protocol number 108) at network borders if it is not required
    • Utilize packet filtering on workstations or servers to prevent the vulnerable code from being executed
    • Recompile affected software to disallow nested encapulation of IPComp payloads if possible

Vendor Information (Learn More)

Note that any systems derived from the KAME or NetBSD IPComp implementations may be vulnerable.

VendorStatusDate NotifiedDate Updated
Force10 Networks, Inc.Affected30 Mar 201119 Apr 2011
FreeBSD ProjectAffected30 Mar 201101 Apr 2011
NetBSDAffected30 Mar 201125 Apr 2011
Apple Inc.Not Affected30 Mar 201105 Apr 2011
Check Point Software TechnologiesNot Affected30 Mar 201104 Apr 2011
Fortinet, Inc.Not Affected30 Mar 201119 May 2011
Juniper Networks, Inc.Not Affected30 Mar 201104 Apr 2011
Microsoft CorporationNot Affected30 Mar 201101 Apr 2011
Openwall GNU/*/LinuxNot Affected30 Mar 201101 Apr 2011
Oracle CorporationNot Affected30 Mar 201131 Mar 2011
Palo Alto NetworksNot Affected30 Mar 201112 Apr 2011
Red Hat, Inc.Not Affected30 Mar 201130 Mar 2011
Sun Microsystems, Inc.Not Affected30 Mar 201101 Apr 2011
VMwareNot Affected30 Mar 201101 Apr 2011
Watchguard Technologies, Inc.Not Affected30 Mar 201101 Apr 2011
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Tavis Ormandy of Google for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2011-1547
  • Date Public: 01 Apr 2011
  • Date First Published: 01 Apr 2011
  • Date Last Updated: 16 Aug 2011
  • Severity Metric: 54.77
  • Document Revision: 38

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.