Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 5 Oct 2018 23:46:07 +0800 (CST)
From: luo  <a4651386@....com>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-17977: CentOS
 ipsec remote denial of service vulnerability



I just applied for the cve number at https://cveform.mitre.org/. I don't know if it is correct to publish the complete information. Please check the community. This vulnerability is very different. Almost all versions of the kernel will work with the centos desktop version. Memory remote accumulation leads to secure remote denial of service



-------- Forwarding messages --------
From: cve-request@...re.org
Date: 2018-10-04 11:31:06
To:  a4651386@....com
Cc:  cve-request@...re.org
Subject: Re: [scr579986] CentOS and IPSec
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [Suggested description]
> The Linux kernel 4.14.67 mishandles certain interaction among XFRM
> Netlink messages, IPPROTO_AH packets, and IPPROTO_IP packets, which
> allows local users to cause a denial of service (memory consumption
> and system hang) by leveraging root access to execute crafted
> applications, as demonstrated on CentOS 7.
> 
> ------------------------------------------
> 
> [Additional Information]
> ipsec Can cause the
> remote memory of the centos desktop version to run out, I tested this
> problem with centos6.10 centos7.10 , but the minimal installation
> version is not very obvious
> 
> 1.Compile the kernel and start compiling options
>  <*> IP:AH transformation
>   <*> IP:ESP transformation
>   <*> IP:IPComp transformation
>   <*> IP:IPsec transport mode
>   <*> IP:IPsec tunnel mode
>   <*> IP:IPsec BEET mode
> 
> 2.Modify the firewall or turn off the firewall to allow the ah
> protocol or the esp protocol to pass through the firewall. 3.Run
> ah_add on the target machine with root privileges, you need to modify
> the inet_addr("127.0.0.1") of line 101 of ah_add.c; it refers to the
> local address (the address of the target machine)
> https://drive.google.com/file/d/15aIxj_yupCcs7i14AIlE8U2ySfOyovnk/view
> 
> 4,.Run ipip as an attacker with root privileges,Need to modify the
> source address and destination address in the main function, the
> destination address refers to the IP address of the target machine
> https://drive.google.com/file/d/1_dh_KX0JpJdoWQopN1KWORwJsQlah7Nv/view
> 
> 5.Running the free command can obviously see the decline in the amount
> of memory remaining space.Finally, it may lead to deadlock, shutdown
> may be, the centos7 desktop version may be more obvious
> 
> Can cause the remote memory of the centos desktop version to run out,
> I tested this problem with centos6.10 centos7.10, but the minimal
> installation version is not very obvious
> 
> And the strange thing is that when I tested ubuntu, there was no such
> problem. Basically, most kernel versions can cause this effect.
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> Memory accumulation, memory application speed exceeds release speed, causing denial of service
> 
> ------------------------------------------
> 
> [Vendor of Product]
> CentOS desktop remote denial of service about ipsec
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> CentOS desktop - CentOS desktop6 CentOS desktop7
> 
> ------------------------------------------
> 
> [Affected Component]
> Can cause the remote memory of the centos desktop version to run out, I tested this problem with centos6.10 centos7.10, 
> https://drive.google.com/file/d/1TmOuAV56JiLP_bTnCQIAFVemN9OoDlIa/view?usp=sharing
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> A packet attack opens a secure server that can cause a remote denial of service
> 
> ------------------------------------------
> 
> [Reference]
> https://drive.google.com/file/d/1TmOuAV56JiLP_bTnCQIAFVemN9OoDlIa/view?usp=sharing
> https://drive.google.com/file/d/1Mjr9Pu_dAjet2Bq_iWCEUIQkUtSTIBVK/view?usp=sharing
> https://drive.google.com/file/d/15aIxj_yupCcs7i14AIlE8U2ySfOyovnk/view
> https://drive.google.com/file/d/1_dh_KX0JpJdoWQopN1KWORwJsQlah7Nv/view
> 
> ------------------------------------------
> 
> [Discoverer]
> 360 ESG Codesafe Team luo quan

Use CVE-2018-17977.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJbtYkBAAoJEA2h+fVryJLoQQ8P/0q04KVv+s5Wg+FxY1TSm8Be
IWbLbWkQfk9PFC2CW6kheM0lEuC4TESEUQP6tLETLrFzPJOf2wQc2YJuUA2kFgil
18NMXDNKZ/x6w/qAPupID807oRKxlxTXs78X9aFNx6FonkdQAJGpf2OWTN/xIkkv
HWNhOXKWlsh799BQYBDl8haWGmJXv/6lPsDCLN2M/ZRhQKbK4Dbo6CZ+eXEbclGu
oSnsmAkK3w3J95rLD8/Y3p2eFnuOSPpBF7h4JC9ITU2nyCQvtjXpT7R2GVRsfv6G
2wFZIOUCsYVZA6dI9DZ+yOP7o22to/jws5cls4J89RdQqmf2ZzrgpMwQq9qVZDfh
b1Tr8iAtlCN8f1lvRbMziDLVDUnAPkG7xrcsQbR9pkPW6Ao3gG2hybGyB3sbkJKk
n8e/Q+t/2j5CfWjB5FnRRqcyJMqEiNTp5maslquoAPj2h8/+QxH4mc6ptjERGsQF
vGnkApEMdW1i9EjdceGcSE18rHashd6RCSsYG6Y2KqC033nGC2Pm9gU+z8EJhkLM
gxNHXKTF8KzqHgjFedLzZlEWqDP0FGfXZa2QTU5t/IZquEE9Vl0ROnQI+aYh8Il8
Rdzqy+FCvtcff5ArZs8yRRe9xqOUJjdkZ+IUgGTDWcd8utp1SvyynTVG0GBlqzgi
NPq6gDUCzVZad2D4iVq7
=xnI/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.