{"vuid":"VU#668220","idnumber":"668220","name":"IPComp encapsulation nested payload vulnerability","keywords":["NetBSD","kernel","network","xnu","ipcomp","ipsec","encapsulation"],"overview":"Some IPComp implementations may contain a kernel memory corruption vulnerability in their handling of nested encapsulation of IPComp payloads.","clean_desc":"RFC 3173 defines the IP Payload Compression Protocol (IPComp) as: IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways (\"nodes\") by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links. IPComp is commonly used in conjunction with IPsec implementations. Some network stack implementations, particularly those incorporating the KAME project or NetBSD project IPComp and IPsec implementations, may fail to check for stack overflow in their recursive handling of nested IPComp-encapsulated payloads. Exploitation of this vulnerability could allow a remote attacker to cause kernel memory corruption.","impact":"A remote attacker can cause a kernel stack overflow leading to a denial of service or possibly execute arbitrary code.","resolution":"Apply a Patch from Your Vendor\nPlease see the Vendor Information below for specific vendor information and patches.","workarounds":"Workarounds Filter IPComp (protocol number 108) at network borders if it is not required\nUtilize packet filtering on workstations or servers to prevent the vulnerable code from being executed\nRecompile affected software to disallow nested encapulation of IPComp payloads if possible","sysaffected":"Note that any systems derived from the KAME or NetBSD IPCom","thanks":"Thanks to Tavis Ormandy of Google for reporting this vulnerability.","author":"This document was written by Michael Orlando.","public":["http://tools.ietf.org/html/rfc3173","http://lists.grok.org.uk/pipermail/full-disclosure/2011-April/080031.html"],"cveids":["CVE-2011-1547"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2011-03-28T18:20:44Z","publicdate":"2011-04-01T00:00:00Z","datefirstpublished":"2011-04-01T14:25:42Z","dateupdated":"2011-08-16T15:10:27Z","revision":38,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"19","cam_population":"19","cam_impact":"19","cam_easeofexploitation":"14","cam_attackeraccessrequired":"17","cam_scorecurrent":"54.772725","cam_scorecurrentwidelyknown":"62.8275375","cam_scorecurrentwidelyknownexploited":"95.0467875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":54.772725,"vulnote":null}