CVE-2007-1357
published 2007-04-11CVE-2007-1357: The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash)…
PriorityP339high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
13.53%
96.0th percentile
The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.20.4 | — |
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2007-05-24·CVSS 7.8
CVE-2007-1357 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
Philipp Richter discovered that the AppleTalk protocol handler did
not sufficiently verify the length of packets. By sending a crafted
AppleTalk packet, a remote attacker could exploit this to crash the
kernel. (CVE-2007-1357)
Gabriel Campana discovered that the do_ipv6_setsockopt() function did
not sufficiently verifiy option values for IPV6_RTHDR. A local
attacker could exploit this to trigger a kernel crash. (CVE-2007-1388)
A Denial of Service vulnerability was discovered in the
nfnetlink_log() netfilter function. A remote attacker could exploit
this to trigger a kernel crash. (CVE-2007-1496)
The connection tracking module for IPv6 did not properly handle the
status field when reassembling fragmented packets,
GHSA
GHSA-7wpj-xm3v-6m5h: The atalk_sum_skb function in AppleTalk for Linux kernel 2
ghsa_unreviewed·2022-05-01
CVE-2007-1357 [HIGH] GHSA-7wpj-xm3v-6m5h: The atalk_sum_skb function in AppleTalk for Linux kernel 2
The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.
No detection rules found.
Bugzilla
CVE-2007-1357 Remotely triggerable crash in AppleTalk support
bugzilla·2007-05-22·CVSS 7.8
CVE-2007-1357 [HIGH] CVE-2007-1357 Remotely triggerable crash in AppleTalk support
CVE-2007-1357 Remotely triggerable crash in AppleTalk support
When we receive an AppleTalk frame shorter than what its header says, we still
attempt to verify its checksum, and trip on the BUG_ON() at the end of function
atalk_sum_skb() because of the length mismatch.
This has security implications because this can be triggered by simply sending a
specially crafted ethernet frame to a target victim, effectively crashing that
host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to
trigger the crash, in npg format:
{
# Ethernet header -----
XX XX XX XX XX XX # Destination MAC
00 00 00 00 00 00 # Source MAC
00 1D # Length
# LLC header -----
AA AA 03
08 00 07 80 9B # Appletalk
# Appletalk header -----
00 1B # Packet length (invalid)
00 01 # Fake checksum
00 00
Bugzilla
CVE-2007-1357 Remotely triggerable crash in AppleTalk
bugzilla·2007-04-10·CVSS 7.8
CVE-2007-1357 [HIGH] CVE-2007-1357 Remotely triggerable crash in AppleTalk
CVE-2007-1357 Remotely triggerable crash in AppleTalk
When we receive an AppleTalk frame shorter than what its header says, we still
attempt to verify its checksum, and trip on the BUG_ON() at the end of function
atalk_sum_skb() because of the length mismatch.
This has security implications because this can be triggered by simply sending a
specially crafted ethernet frame to a target victim, effectively crashing that
host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to
trigger the crash, in npg format:
{
# Ethernet header -----
XX XX XX XX XX XX # Destination MAC
00 00 00 00 00 00 # Source MAC
00 1D # Length
# LLC header -----
AA AA 03
08 00 07 80 9B # Appletalk
# Appletalk header -----
00 1B # Packet length (invalid)
00 01 # Fake checksum
00 00 00 00 #
http://lists.suse.com/archive/suse-security-announce/2007-May/0001.htmlhttp://secunia.com/advisories/24793http://secunia.com/advisories/24901http://secunia.com/advisories/25078http://secunia.com/advisories/25099http://secunia.com/advisories/25226http://secunia.com/advisories/25392http://secunia.com/advisories/25683http://secunia.com/advisories/25691http://secunia.com/advisories/25714http://secunia.com/advisories/25961http://www.debian.org/security/2007/dsa-1286http://www.debian.org/security/2007/dsa-1304http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.5http://www.novell.com/linux/security/advisories/2007_30_kernel.htmlhttp://www.novell.com/linux/security/advisories/2007_35_kernel.htmlhttp://www.novell.com/linux/security/advisories/2007_43_kernel.htmlhttp://www.securityfocus.com/archive/1/471457http://www.securityfocus.com/bid/23376http://www.ubuntu.com/usn/usn-464-1http://www.vupen.com/english/advisories/2007/1340https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235857https://issues.rpath.com/browse/RPL-1244http://lists.suse.com/archive/suse-security-announce/2007-May/0001.htmlhttp://secunia.com/advisories/24793http://secunia.com/advisories/24901http://secunia.com/advisories/25078http://secunia.com/advisories/25099http://secunia.com/advisories/25226http://secunia.com/advisories/25392http://secunia.com/advisories/25683http://secunia.com/advisories/25691http://secunia.com/advisories/25714http://secunia.com/advisories/25961http://www.debian.org/security/2007/dsa-1286http://www.debian.org/security/2007/dsa-1304http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20.5http://www.novell.com/linux/security/advisories/2007_30_kernel.htmlhttp://www.novell.com/linux/security/advisories/2007_35_kernel.htmlhttp://www.novell.com/linux/security/advisories/2007_43_kernel.htmlhttp://www.securityfocus.com/archive/1/471457http://www.securityfocus.com/bid/23376http://www.ubuntu.com/usn/usn-464-1http://www.vupen.com/english/advisories/2007/1340https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235857https://issues.rpath.com/browse/RPL-1244
2007-04-11
Published