Severity: 2/4

Consequences: data flow

Provenance: LAN

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 19/06/2009

IMPACTED PRODUCTS

 OpenSolaris
 Sun Solaris

DESCRIPTION OF THE VULNERABILITY

The "ce" driver implements the support of Cassini Gigabit Ethernet network adapters. These adapters can receive jumbo Ethernet frames.

The IP checksum is computed by the system or by the adapter.

An attacker can send a jumbo frame, where the data size is smaller than the frame size. The system then has to recompute the checksum because the "len" (length) field was updated in the packet. However, if the checksum was computed by the adapter, an error occurs in the ip_ocsum_long() assembler function when the system recomputes the checksum.

An attacker located on a network supporting jumbo frames can therefore send an invalid frame in order to generate a denial of service.

CHARACTERISTICS

Identifiers: 257008, 6803523, BID-35439, CVE-2009-2136, VIGILANCE-VUL-8810

http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-Gigabit-Ethernet-8810