Korean

<< Back VID 12089 Severity 30 Port Protocol SCTP Class Protocol Detailed Description The Linux host is vulnerable to a denial of service attack via the SCTP packet with invalid SCTP chunk size. The Linux Kernel Stream Control Transmission Protocol (lksctp) project is an implementation of the Stream Control Transmission Protocol (SCTP) in the Linux kernel. The SCTP implementation in Linux kernel versions 2.6.12 through to 2.6.16.20 and versions 2.6.17.x prior to 2.6.17.1 could allow a remote attacker to cause a denial of service, caused by an infinite loop condition that can occur in the SCTP-netfilter module for_each_sctp_chunk() function. A remote attacker could exploit this vulnerability using specially-crafted packets containing an invalid SCTP (Stream Control Transmission Protocol) chunk size to consume all available CPU resources, resulting in a denial of service. * References: http://lksctp.sourceforge.net/ http://www.frsirt.com/english/advisories/2006/1632 http://www.frsirt.com/english/advisories/2006/2451 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13 http://www.networksorcery.com/enp/protocol/sctp.htm#Chunk http://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024241.html http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.13 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.23 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.17.3 * Platforms Affected: Kernel.Org Organization, Inc., Linux Kernel versions 2.6.12 through to 2.6.16.20 Kernel.Org Organization, Inc., Linux Kernel versions 2.6.17.x prior to 2.6.17.1 Recommendation Upgrade to the latest stable version of Linux kernel (2.6.16.23 or 2.6.17.3 or later). Contact your vendor for upgrade information. The Official Web site of the Linux Kernel is the Linux Kernel Archives at http://www.kernel.org/ Related URL CVE-2006-1527,CVE-2006-3085 (CVE) Related URL 17806,18550,18755 (SecurityFocus) Related URL 26194,27384 (ISS)