Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Linux Kernel IGMP Remote Denial of Service Vulnerability

Attack ID: CPAI-2005-01
Publish Date:
Last Update:
Category: Denial of Service
Vulnerable Systems: Linux kernel from 2.4.22 to 2.4.28,  2.6; up to and including 2.6.9
Source:

CAN-2004-1137

Description:

The Internet Group Management protocol (IGMP) is used by hosts and routers to dynamically register and discover multicast group memberships. Multicast is a routing technique that allows IP traffic to be sent from one source or multiple sources and delivered to multiple destinations. By sending a specially crafted IGMP packet to a Linux machine with multicast support, a remote user may execute arbitrary code on the affected machine or cause a denial of service condition.

 

Severity:
Details:

The Internet Group Management Protocol (IGMP) is a routing protocol used by IPv4 systems (hosts and routers) to report their IP multicast group memberships to any neighboring multicast routers. The Linux kernel incorporates a set of the IGMPv2 and IGMPv3 specifications. A flaw exists in the IGMP code in the Linux kernel. This flaw is remotely exploitable on Linux machines with multicast support.

 


Attack Detection:

Using SmartView Tracker, users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect who have performed the Update outlined below, will be able to identify this attack by one of the following logging entries:

Users of R55W and InterSpect:

Name: IGMP Protocol Enforcement Violation
Information:
IGMP packet was not sent to a multicast address
IGMP packet time-to-live value is not 1
IGMPv3 query packet: wrong data length
IGMPv3 packet header too short
IGMP packet header too short

Users of R55:
Users of R55 will identify rule 9992 on the log viewer.
Rule 9992 -  Invalid IGMP traffic.

Solution:

Users of VPN-1 NG with Application Intelligence R55 and InterSpect should update their SmartDefense by clicking the Update Now button on the SmartDefense SmartDashboard General window.

Users of VPN-1 NG with Application Intelligence R55W should update their SmartDefense by clicking the Online Update button on the SmartDefense SmartDashboard General window

SmartDefense Protection:

The new IGMP protection enforces the validity of IGMP packets. The protection has been added to the SmartDefense navigation tree, under Application Intelligence > Routing Protocols.

To enable the Protection:

1. On the SmartDefense navigation tree, select Application Intelligence > Routing Protocols.
2. Enable IGMP

3. Install policy on all modules.

Industry Reference: CAN-2004-1137
Additional Information:

http://isec.pl/vulnerabilities/isec-0018-igmp.txt