CVE-2008-0177
published 2008-02-07CVE-2008-0177: The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown…
PriorityP343high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
15.54%
96.4th percentile
The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x60\x00\x00\x00\x00\x00\x6c\x66 (IPv6 packet with plen=0 and next header=0x6c/IPComp)
- →Detect crafted IPv6 packets with next-header field set to 0x6c (IPComp, decimal 108) and a payload length of 0, which is the exact packet shape used by the PoC to trigger the NULL pointer dereference panic. ↗
- →A single specifically crafted IPv6 packet with an IPComp header is sufficient to panic a vulnerable kernel; monitor for unexpected kernel panics on systems with IPSEC compiled in and IPv6 enabled. ↗
- →The vulnerability is only reachable when IPSEC is compiled into the kernel; triage affected hosts by checking kernel configuration for IPSEC support before prioritising response. ↗
- ·FreeBSD GENERIC and SMP kernel configurations shipped with releases do NOT include IPsec support and are therefore not vulnerable; only custom kernels with IPSEC compiled in are at risk. ↗
- ·Multiple BSD-derived operating systems are affected beyond FreeBSD 5.5, including NetBSD 3.1 and FreeBSD 4.9.0; scope detection and patching accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-08:04.ipsec: IPsec null pointer dereference panic
bsd_advisories·2008-02-14·CVSS 7.8
CVE-2008-0177 [HIGH] FreeBSD-SA-08:04.ipsec: IPsec null pointer dereference panic
FreeBSD-SA-08:04.ipsec Security Advisory
The FreeBSD Project
Topic: IPsec null pointer dereference panic
Category: core
Module: ipsec
Announced: 2008-02-14
Credits: Takashi Sogabe, Tatuya Jinmei
Affects: FreeBSD 5.5
Corrected: 2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE)
2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19)
CVE Name: CVE-2008-0177
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The IPsec suite of protocols provide network level security for IPv4
and IPv6 packets. FreeBSD includes software originally developed by
the KAME project which implements the various protocols that make up
IPsec.
II. Problem Description
There is an improper
GHSA
GHSA-vrv9-xcjr-98wp: The ipcomp6_input function in sys/netinet6/ipcomp_input
ghsa_unreviewed·2022-05-01
CVE-2008-0177 [HIGH] GHSA-vrv9-xcjr-98wp: The ipcomp6_input function in sys/netinet6/ipcomp_input
The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header.
No detection rules found.
No writeups or analysis indexed.
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1http://lists.apple.com/archives/security-announce/2008//Jul/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2008//May/msg00001.htmlhttp://secunia.com/advisories/28788http://secunia.com/advisories/28816http://secunia.com/advisories/28979http://secunia.com/advisories/29130http://secunia.com/advisories/30430http://secunia.com/advisories/31074http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.aschttp://securitytracker.com/id?1019314http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36%3Br2=1.37http://www.kb.cert.org/vuls/id/110947http://www.securityfocus.com/bid/27642http://www.us-cert.gov/cas/techalerts/TA08-150A.htmlhttp://www.vupen.com/english/advisories/2008/0441http://www.vupen.com/english/advisories/2008/0688http://www.vupen.com/english/advisories/2008/1697http://www.vupen.com/english/advisories/2008/2094/referenceshttps://www.exploit-db.com/exploits/5191http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1http://lists.apple.com/archives/security-announce/2008//Jul/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2008//May/msg00001.htmlhttp://secunia.com/advisories/28788http://secunia.com/advisories/28816http://secunia.com/advisories/28979http://secunia.com/advisories/29130http://secunia.com/advisories/30430http://secunia.com/advisories/31074http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.aschttp://securitytracker.com/id?1019314http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36%3Br2=1.37http://www.kb.cert.org/vuls/id/110947http://www.securityfocus.com/bid/27642http://www.us-cert.gov/cas/techalerts/TA08-150A.htmlhttp://www.vupen.com/english/advisories/2008/0441http://www.vupen.com/english/advisories/2008/0688http://www.vupen.com/english/advisories/2008/1697http://www.vupen.com/english/advisories/2008/2094/referenceshttps://www.exploit-db.com/exploits/5191
2008-02-07
Published