News
Vigil@nce - Linux kernel: denial of service via IGMP
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send several IGMP packets, in order to stop the Linux kernel.
Severity: 2/4
Creation date: 10/01/2012
IMPACTED PRODUCTS
Linux kernel
DESCRIPTION OF THE VULNERABILITY
The IGMP (Internet Group Management Protocol) protocol is used to
define multicast groups. There are three versions:
IGMP v1 : RFC 1112
IGMP v2 : RFC 2236
IGMP v3 : RFC 3376
Routers (Querier) periodically send Membership Query packets to
query the list of groups on the network. Clients have a maximal
duration to reply:
IGMP v1 : 10 seconds
IGMP v2 : indicated in the MaxRespTime field of the query
IGMP v3 : idem, but with a different encoding
The Linux kernel memorizes the version of Queriers located on the network. So, if an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel changes its behavior.
The igmp_heard_query() function of the Linux processes received queries, and starts a Timer in order to reply later (unless another client replied before). The Timer duration depends on the IGMP version. When an IGMP v3 query is received, and if there are IGMP v2 routers, the kernel uses the MaxRespTime field. However, if this field is zero, a division (modulo) by zero occurs.
An attacker can therefore send several IGMP packets, in order to stop the Linux kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
