Vigil@nce: Solaris, denial of service via Gigabit Ethernet
June 2009 by Vigil@nce
A LAN attacker can send a Gigabit Ethernet frame in order to stop
the system.
Severity: 2/4
Consequences: data flow
Provenance: LAN
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/06/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION OF THE VULNERABILITY
The "ce" driver implements the support of Cassini Gigabit Ethernet
network adapters. These adapters can receive jumbo Ethernet frames.
The IP checksum is computed by the system or by the adapter.
An attacker can send a jumbo frame, where the data size is smaller
than the frame size. The system then has to recompute the checksum
because the "len" (length) field was updated in the packet.
However, if the checksum was computed by the adapter, an error
occurs in the ip_ocsum_long() assembler function when the system
recomputes the checksum.
An attacker located on a network supporting jumbo frames can
therefore send an invalid frame in order to generate a denial of
service.
CHARACTERISTICS
Identifiers: 257008, 6803523, BID-35439, CVE-2009-2136,
VIGILANCE-VUL-8810
http://vigilance.fr/vulnerability/Solaris-denial-of-service-via-Gigabit-Ethernet-8810