ID

VAR-201402-0027


CVE

CVE-2011-3604


TITLE

router advertisement daemon of process_ra Service disruption in functions (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2011-005288

DESCRIPTION

The process_ra function in the router advertisement daemon (radvd) before 1.8.2 allows remote attackers to cause a denial of service (stack-based buffer over-read and crash) via unspecified vectors. radvd is prone to the follow security vulnerabilities: 1. Multiple local privilege-escalation vulnerability. 2. A local arbitrary file-overwrite vulnerability. 3. Multiple remote denial-of-service vulnerabilities. An attacker can exploit these issues to execute arbitrary code with administrative privileges, overwrite arbitrary files, and cause denial-of-service conditions. The software can replace IPv6 routing for stateless address auto-configuration. A security vulnerability exists in the 'process_ra' function in radvd 1.8.1 and earlier. ========================================================================== Ubuntu Security Notice USN-1257-1 November 10, 2011 radvd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: radvd could be made to crash or overwrite certain files if it received specially crafted network traffic. Software Description: - radvd: Router Advertisement Daemon Details: Vasiliy Kulikov discovered that radvd incorrectly parsed the ND_OPT_DNSSL_INFORMATION option. The default compiler options for affected releases should reduce the vulnerability to a denial of service. This issue only affected Ubuntu 11.04 and 11.10. (CVE-2011-3601) Vasiliy Kulikov discovered that radvd incorrectly filtered interface names when creating certain files. (CVE-2011-3602) Vasiliy Kulikov discovered that radvd incorrectly handled certain lengths. (CVE-2011-3604) Vasiliy Kulikov discovered that radvd incorrectly handled delays when used in unicast mode, which is not the default in Ubuntu. If used in unicast mode, a remote attacker could cause radvd outages, resulting in a denial of service. (CVE-2011-3605) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: radvd 1:1.8-1ubuntu0.1 Ubuntu 11.04: radvd 1:1.7-1ubuntu0.1 Ubuntu 10.10: radvd 1:1.6-1ubuntu0.1 Ubuntu 10.04 LTS: radvd 1:1.3-1.1ubuntu0.1 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1257-1 CVE-2011-3601, CVE-2011-3602, CVE-2011-3604, CVE-2011-3605 Package Information: https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1 https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1 . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: radvd: Multiple vulnerabilities Date: November 20, 2011 Bugs: #385967 ID: 201111-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in radvd which could potentially lead to privilege escalation, data loss, or a Denial of Service. Background ========== radvd is an IPv6 router advertisement daemon for Linux and BSD. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/radvd < 1.8.2 >= 1.8.2 Description =========== Multiple vulnerabilities have been discovered in radvd. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All radvd users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/radvd-1.8.2" References ========== [ 1 ] CVE-2011-3601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3601 [ 2 ] CVE-2011-3602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3602 [ 3 ] CVE-2011-3603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3603 [ 4 ] CVE-2011-3604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3604 [ 5 ] CVE-2011-3605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3605 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201111-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Ovum says ad hoc tools are out-dated. The best practice approach? Fast vulnerability intelligence, threat handling, and setup in one tool. Read the new report on the Secunia VIM: http://secunia.com/products/corporate/vim/ovum_2011_request/ ---------------------------------------------------------------------- TITLE: Debian update for radvd SECUNIA ADVISORY ID: SA46639 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46639/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46639 RELEASE DATE: 2011-10-31 DISCUSS ADVISORY: http://secunia.com/advisories/46639/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46639/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46639 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Debian has issued an update for radvd. This fixes a security issue and multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA46200 SOLUTION: Apply updated packages via the apt-get package manager. ORIGINAL ADVISORY: DSA-2323-1: http://www.debian.org/security/2011/dsa-2323 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2323-1 security@debian.org http://www.debian.org/security/ Yves-Alexis Perez October 26, 2011 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : radvd Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-3602 CVE-2011-3604 CVE-2011-3605 Debian Bug : 644614 Multiple security issues were discovered by Vasiliy Kulikov in radvd, an IPv6 Router Advertisement daemon: CVE-2011-3602 set_interface_var() function doesn't check the interface name, which is chosen by an unprivileged user. CVE-2011-3604 process_ra() function lacks multiple buffer length checks which could lead to memory reads outside the stack, causing a crash of the daemon. CVE-2011-3605 process_rs() function calls mdelay() (a function to wait for a defined time) unconditionnally when running in unicast-only mode. As this call is in the main thread, that means all request processing is delayed (for a time up to MAX_RA_DELAY_TIME, 500 ms by default). Note: upstream and Debian default is to use anycast mode. For the oldstable distribution (lenny), this problem has been fixed in version 1:1.1-3.1. For the stable distribution (squeeze), this problem has been fixed in version 1:1.6-1.1. For the testing distribution (wheezy), this problem has been fixed in version 1:1.8-1.2. For the unstable distribution (sid), this problem has been fixed in version 1:1.8-1.2. We recommend that you upgrade your radvd packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk6q2QcACgkQXm3vHE4uylqlEQCgpdFwHzpKLF6KHlJs4y/ykeo/ oEYAniJXFaff25pMtXzM6Ovu8zslZm7H =VfHu -----END PGP SIGNATURE-----

Trust: 2.34

sources: NVD: CVE-2011-3604 // JVNDB: JVNDB-2011-005288 // BID: 50395 // VULHUB: VHN-51549 // PACKETSTORM: 106846 // PACKETSTORM: 107166 // PACKETSTORM: 106446 // PACKETSTORM: 106356

AFFECTED PRODUCTS

vendor:litechmodel:router advertisement daemonscope:lteversion:1.8.1

Trust: 1.0

vendor:litech designmodel:router advertisement daemonscope:ltversion:1.8.2

Trust: 0.8

vendor:litechmodel:router advertisement daemonscope:eqversion:1.8.1

Trust: 0.6

vendor:ubuntumodel:linux i386scope:eqversion:11.10

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:11.10

Trust: 0.3

vendor:ubuntumodel:linux powerpcscope:eqversion:11.04

Trust: 0.3

vendor:ubuntumodel:linux i386scope:eqversion:11.04

Trust: 0.3

vendor:ubuntumodel:linux armscope:eqversion:11.04

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:11.04

Trust: 0.3

vendor:ubuntumodel:linux powerpcscope:eqversion:10.10

Trust: 0.3

vendor:ubuntumodel:linux i386scope:eqversion:10.10

Trust: 0.3

vendor:ubuntumodel:linux armscope:eqversion:10.10

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:10.10

Trust: 0.3

vendor:ubuntumodel:linux sparcscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux powerpcscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux i386scope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux armscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:10.04

Trust: 0.3

vendor:litechmodel:radvdscope:eqversion:1.8.1

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:litechmodel:radvdscope:neversion:1.8.2

Trust: 0.3

sources: BID: 50395 // JVNDB: JVNDB-2011-005288 // CNNVD: CNNVD-201402-221 // NVD: CVE-2011-3604

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3604
value: HIGH

Trust: 1.0

NVD: CVE-2011-3604
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201402-221
value: HIGH

Trust: 0.6

VULHUB: VHN-51549
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-3604
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-51549
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-51549 // JVNDB: JVNDB-2011-005288 // CNNVD: CNNVD-201402-221 // NVD: CVE-2011-3604

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-51549 // JVNDB: JVNDB-2011-005288 // NVD: CVE-2011-3604

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-221

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-201402-221

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-005288

PATCH

title:CHANGESurl:http://www.litech.org/radvd/CHANGES

Trust: 0.8

title:radvd-1.8.2url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=48103

Trust: 0.6

sources: JVNDB: JVNDB-2011-005288 // CNNVD: CNNVD-201402-221

EXTERNAL IDS

db:NVDid:CVE-2011-3604

Trust: 3.1

db:OPENWALLid:OSS-SECURITY/2011/10/06/3

Trust: 1.7

db:JVNDBid:JVNDB-2011-005288

Trust: 0.8

db:CNNVDid:CNNVD-201402-221

Trust: 0.7

db:SECUNIAid:46639

Trust: 0.7

db:SECUNIAid:46884

Trust: 0.6

db:SECUNIAid:46825

Trust: 0.6

db:SECUNIAid:46270

Trust: 0.6

db:SECUNIAid:46883

Trust: 0.6

db:SECUNIAid:46626

Trust: 0.6

db:SECUNIAid:46930

Trust: 0.6

db:UBUNTUid:USN-1257-1

Trust: 0.6

db:MLISTid:[OSS-SECURITY] 20111007 RADVD 1.8.2 RELEASED WITH SECURITY FIXES

Trust: 0.6

db:DEBIANid:DSA-2323

Trust: 0.6

db:BIDid:50395

Trust: 0.3

db:VULHUBid:VHN-51549

Trust: 0.1

db:PACKETSTORMid:106846

Trust: 0.1

db:PACKETSTORMid:107166

Trust: 0.1

db:PACKETSTORMid:106446

Trust: 0.1

db:PACKETSTORMid:106356

Trust: 0.1

sources: VULHUB: VHN-51549 // BID: 50395 // JVNDB: JVNDB-2011-005288 // PACKETSTORM: 106846 // PACKETSTORM: 107166 // PACKETSTORM: 106446 // PACKETSTORM: 106356 // CNNVD: CNNVD-201402-221 // NVD: CVE-2011-3604

REFERENCES

url:http://www.debian.org/security/2011/dsa-2323

Trust: 1.8

url:http://www.ubuntu.com/usn/usn-1257-1

Trust: 1.8

url:http://www.openwall.com/lists/oss-security/2011/10/06/3

Trust: 1.7

url:http://www.litech.org/radvd/changes

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3604

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3604

Trust: 0.8

url:http://www.litech.org/radvd/

Trust: 0.6

url:http://secunia.com/advisories/46270

Trust: 0.6

url:http://secunia.com/advisories/46626

Trust: 0.6

url:http://secunia.com/advisories/46639

Trust: 0.6

url:http://secunia.com/advisories/46825

Trust: 0.6

url:http://secunia.com/advisories/46883

Trust: 0.6

url:http://secunia.com/advisories/46884

Trust: 0.6

url:http://secunia.com/advisories/46930

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2011-3604

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2011-3602

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2011-3605

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2011-3601

Trust: 0.2

url:https://launchpad.net/ubuntu/+source/radvd/1:1.3-1.1ubuntu0.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/radvd/1:1.6-1ubuntu0.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/radvd/1:1.8-1ubuntu0.1

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/radvd/1:1.7-1ubuntu0.1

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3605

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3602

Trust: 0.1

url:http://security.gentoo.org/glsa/glsa-201111-08.xml

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3603

Trust: 0.1

url:http://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3601

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-3603

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-3604

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=46639

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/advisories/46639/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/products/corporate/vim/ovum_2011_request/

Trust: 0.1

url:http://secunia.com/advisories/46639/#comments

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

url:http://www.debian.org/security/faq

Trust: 0.1

url:http://www.debian.org/security/

Trust: 0.1

sources: VULHUB: VHN-51549 // BID: 50395 // JVNDB: JVNDB-2011-005288 // PACKETSTORM: 106846 // PACKETSTORM: 107166 // PACKETSTORM: 106446 // PACKETSTORM: 106356 // CNNVD: CNNVD-201402-221 // NVD: CVE-2011-3604

CREDITS

Vasiliy Kulikov

Trust: 0.3

sources: BID: 50395

SOURCES

db:VULHUBid:VHN-51549
db:BIDid:50395
db:JVNDBid:JVNDB-2011-005288
db:PACKETSTORMid:106846
db:PACKETSTORMid:107166
db:PACKETSTORMid:106446
db:PACKETSTORMid:106356
db:CNNVDid:CNNVD-201402-221
db:NVDid:CVE-2011-3604

LAST UPDATE DATE

2024-11-07T22:19:43.144000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-51549date:2014-02-18T00:00:00
db:BIDid:50395date:2015-05-07T17:12:00
db:JVNDBid:JVNDB-2011-005288date:2014-02-19T00:00:00
db:CNNVDid:CNNVD-201402-221date:2014-02-20T00:00:00
db:NVDid:CVE-2011-3604date:2014-02-18T18:54:52.727

SOURCES RELEASE DATE

db:VULHUBid:VHN-51549date:2014-02-17T00:00:00
db:BIDid:50395date:2011-10-27T00:00:00
db:JVNDBid:JVNDB-2011-005288date:2014-02-19T00:00:00
db:PACKETSTORMid:106846date:2011-11-11T03:09:09
db:PACKETSTORMid:107166date:2011-11-21T01:10:29
db:PACKETSTORMid:106446date:2011-10-31T03:45:06
db:PACKETSTORMid:106356date:2011-10-28T21:47:49
db:CNNVDid:CNNVD-201402-221date:2014-02-20T00:00:00
db:NVDid:CVE-2011-3604date:2014-02-17T16:55:07.070