Source: cve@mitre.org
The tcp_find_option function of the netfilter subsystem for IPv6 in the SUSE Linux 2.6.5 kernel with USAGI patches, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type, a similar flaw to CVE-2004-0626.
Remote attackers can trigger a denial-of-service (DoS) condition on vulnerable SUSE Linux systems by exploiting a flaw in the IPv6 netfilter subsystem. This vulnerability, stemming from an integer overflow within the tcp_find_option function, allows attackers to consume excessive CPU resources through an infinite loop, effectively rendering the system unresponsive.
Step 1: Packet Crafting: The attacker crafts a malicious TCP packet with IPv6 headers and TCP options. The TCP options include a specially crafted option length field.
Step 2: Packet Transmission: The attacker sends the malicious TCP packet to the vulnerable SUSE Linux system.
Step 3: Packet Reception and Processing: The kernel's netfilter subsystem receives the packet and passes it to the tcp_find_option function.
Step 4: Integer Overflow: Within tcp_find_option, the large option length is processed, leading to an integer overflow during a casting operation.
Step 5: Infinite Loop: The overflowed value, now a negative integer, is used in a loop condition, causing an infinite loop to execute.
Step 6: CPU Exhaustion: The infinite loop consumes all available CPU resources, leading to a denial-of-service (DoS) condition.
The vulnerability lies within the tcp_find_option function of the netfilter subsystem in the SUSE Linux 2.6.5 kernel with USAGI patches. The flaw stems from an integer overflow when handling TCP option lengths. Specifically, a large option length is provided, which, after a casting operation to the char type, results in a negative integer. This negative value is then used in a loop condition, causing the loop to execute indefinitely, consuming all available CPU resources. The root cause is a lack of proper input validation on the option length, allowing an attacker to craft malicious TCP packets with a crafted option length that triggers the integer overflow and subsequent infinite loop. This is similar to CVE-2004-0626.
Due to the age of the vulnerability, it is unlikely to be associated with specific APT groups. However, any actor with the capability to craft network packets could exploit this vulnerability. Not listed on CISA KEV.
Monitor network traffic for TCP packets with unusually large TCP option lengths.
Analyze system logs for signs of excessive CPU usage, particularly related to kernel processes.
Use intrusion detection systems (IDS) with rules specifically designed to detect malicious TCP packets with crafted option lengths.
Examine network traffic for IPv6 packets targeting the vulnerable system.
Upgrade the SUSE Linux kernel to a patched version that addresses CVE-2004-0592. This is the primary and most effective remediation.
Implement network-based intrusion detection and prevention systems (IDS/IPS) to filter malicious TCP packets with crafted option lengths.
Apply the latest security patches from SUSE.
Implement host-based intrusion detection systems (HIDS) to monitor for suspicious kernel activity.
Consider disabling IPv6 if not required, as a temporary mitigation.