-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2011-0018
 
Title: Linux Kernel Headroom Check 'udp6_ufo_fragment()' Remote Denial of Service Vulnerability [1]
 

Version history:
22.11.2011 Initial publication
 

Summary
=======
 
The Linux kernel is prone to a remote denial-of-service vulnerability. 
To exploit this issue, attackers can use readily available network utilities.

CVE-2011-4326(Candidate)
 
Severity Level[3]: CVSS2 Base 7.8
 
Remote              Yes
Local               No
Credibility         Vendor Confirmed
Ease                Exploit Available
Authentication      Not Required
 

To note also:

CVE-2011-4330(Candidate)
CVE-2011-4110(Candidate)
CVE-2011-4112(Candidate)
 
 
Potential impact
================
 
Attackers can exploit this issue to cause the kernel to crash, denying service to legitimate users.
 
1. An attacker locates a vulnerable computer.

2. An attacker crafts a malicious UDP packet designed to leverage this issue.

3. When  the affected application processes the packet, the vulnerability is triggered.

A successful attack will cause denial-of-service conditions.
 
 
 
Vulnerable Systems
==================
Among others:
 
Linux kernel  2.6.32.1 to 2.6.32.18
Linux kernel 2.6.32.22 
Linux kernel 2.6.32-rc1 to 2.6.32-rc3
     Trustix Secure Enterprise Linux 2.0.0
     Trustix Secure Linux 2.0.0
     Trustix Secure Linux 2.1.0
     Trustix Secure Linux 2.2.0

Linux kernel 2.6.32-rc4 cpe:/o:linux:kernel:2.6.32:rc4 SYMC
Linux kernel 2.6.32-rc5 cpe:/o:linux:kernel:2.6.32:rc5 SYMC
     Trustix Secure Enterprise Linux 2.0.0
     Trustix Secure Linux 2.0.0
     Trustix Secure Linux 2.1.0
     Trustix Secure Linux 2.2.0

Linux kernel 2.6.32x
Linux kernel 2.6.33x
Linux kernel 2.6.34x
Linux kernel 2.6.35x
Linux kernel 2.6.36x
Linux kernel 2.6.37x
Linux kernel 2.6.38x
Linux kernel 2.6.39x
Linux kernel 2.6.4 to 2.6.7
Linux kernel 2.6.32.28 
Linux kernel 2.6.37-rc1 
Linux kernel 2.6.37-rc2 
Linux kernel 2.6.38x
Linux kernel 2.6.33-rc7 
Linux kernel 2.6.36-rc4 

 
 
 
What can you do?
================
 
Solutions:
 
Fixes are available [2].
 
Work-arounds:


Block external access at the network boundary, unless external parties require service.

Filter access to the affected computer at the network boundary if global access isn't needed. Restricting access 
to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.  Deploy NIDS to 
monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or 
activity that results from successful exploits.


What to tell your users?
========================
Normal security best practices apply. Especially, inform your Web users to be cautious about following links to 
sites that are provided by unfamiliar or suspicious sources.  Users are to be aware not to click on the link in 
suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in 
your institution.
 

More information
================
[1] http://www.linux.org/
[2] http://comments.gmane.org/gmane.comp.security.oss.general/6294
 
[3] CVSS details:
CVSS Version 2 Scores
CVSS2 Base          7.8
CVSS2 Temporal      6.4
CVSS2 Base Vector   AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS2 Temporal VectorE:F/RL:OF/RC:C
 
More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html
 
 
 
Best regards,
 
CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383



-----BEGIN PGP SIGNATURE-----
Version: BCPG v1.39

iQJXBAEBAgBBBQJOy2dvOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp
b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4MQ6xAAskZUK7nC
BdEYZKstHPKsWlZHxnl1ZfNN9NygxEFrh3m3RKcPWGDB4w38JrW4M7vEKeD9VVpF
1V/tBOc4CXKQwCOL+OA/3h6N1NPaRjM2OW1ELuSa0Z96gwohPkCNvbjAn3US6w4q
OGBX0dnHlWYvK5fiKh9NXr/oTYoWHgjZ9NLh6Iz5WovfboxUGCqYPqu65amav4Wt
cYPr/kgmYBSoTnW1JXrzE5oGy8GTwsGp+N6eJp3cxOT9uzyaj4aOQeo3FZw2Lt0A
J7xH0/tJG1P3OP8siwCsKkNgV1xl8q5wF7AwnKJNYRNA3K3o1qd6XQG5ytZh985j
hooL6LcfYGfWy306TF4eejEc2mT5DXMC8frjT/W0LKATXQwExL0X57btcAH0jOox
dWMoHT4vZ9OBr41gT1uGdzIUIIjj8b0Jl1y/4xbOXdmPo8cbfubQqM2z/DoKnrGk
Wx+6a6ZVo4+fwUn5YYlbCFUQQ6oW2Nf4ifF3ttGWZHG73a472MRneRcvYBHGkNVA
DdLl4EX6K5z1EHYe+q3rma7w8enNm/uiS94xZ1CWEy0KerFgnjez1mCt51LsRnS/
tOLUNAFfKwimcx59/4cM6fJF9RD3x53HvBi6JI4TEF1Lz4o6INLB5HC8HjZA2L0U
fR8n8oAYWvvPDpr/03yuXh/Le5KrqGjKlQY=
=PSFu
-----END PGP SIGNATURE-----