News
Vigil@nce: Solaris, denial of service via Gigabit Ethernet
June 2009 by Vigil@nce
A LAN attacker can send a Gigabit Ethernet frame in order to stop the system.
Severity: 2/4
Consequences: data flow
Provenance: LAN
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/06/2009
IMPACTED PRODUCTS
OpenSolaris
Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The "ce" driver implements the support of Cassini Gigabit Ethernet network adapters. These adapters can receive jumbo Ethernet frames.
The IP checksum is computed by the system or by the adapter.
An attacker can send a jumbo frame, where the data size is smaller than the frame size. The system then has to recompute the checksum because the "len" (length) field was updated in the packet. However, if the checksum was computed by the adapter, an error occurs in the ip_ocsum_long() assembler function when the system recomputes the checksum.
An attacker located on a network supporting jumbo frames can therefore send an invalid frame in order to generate a denial of service.
CHARACTERISTICS
Identifiers: 257008, 6803523, BID-35439, CVE-2009-2136, VIGILANCE-VUL-8810
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-Gigabit-Ethernet-8810
