7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.47 Medium
EPSS
Percentile
97.5%
The KAME projectβs IPv6 implementation does not properly process IPv6 packets that contain the IPComp header. If exploited, this vulnerability may allow an attacker to cause a vulnerable system to crash.
Per RFC 3173:
IP payload compression is a protocol to reduce the size of IP datagrams. This protocol will increase the overall communication performance between a pair of communicating hosts/gateways (βnodesβ) by compressing the datagrams, provided the nodes have sufficient computation power, through either CPU capacity or a compression coprocessor, and the communication is over slow or congested links.
Systems that have IPv6 networking derived from the KAME project IPv6 implementation may not properly process IPv6 packets that contain an IPComp header. An attacker can exploit this vulnerability by sending an IPv6 packet with a IPComp header to a vulnerable system.
A remote, unauthenticated attacker can cause a vulnerable system to crash.
See the systems affected section of this document for a partial list of affected vendors. Administrators who compile their kernel from source should see <http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37> for more information.
Restrict access
Until updates can be applied, using a packet-filtering firewall to block IPv6 packets that contain the IPComp header may prevent this vulnerability from being exploited by remote attackers.
110947
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: November 30, 2007 Updated: May 29, 2008
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
See <http://support.apple.com/kb/HT1897> for more information.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23110947 Feedback>).
Notified: November 30, 2007 Updated: February 06, 2008
Statement Date: February 05, 2008
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Force10 Networksβ switch/router product lines can be affected by this vulnerability in older FTOS versions. The problem was corrected in FTOS version 7.6.1.0.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23110947 Feedback>).
Notified: November 30, 2007 Updated: February 27, 2008
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
From <http://security.freebsd.org/advisories/FreeBSD-SA-08:04.ipsec.asc>
No workaround is available, but kernels which does not include IPsec support are not vulnerable. The GENERIC and SMP kernel configurations distributed with FreeBSD releases do not include IPsec support.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23110947 Feedback>).
Notified: November 30, 2007 Updated: February 07, 2008
Affected
All JUNOS software built on or after December 8, 2007 has been corrected to properly manage IPv6 packet buffers and is not susceptible to this vulnerability. JUNOS releases 8.5R1 and beyond are NOT susceptible to this vulnerability because a revised IPv6 protocol stack was implemented.
No other Juniper products are affected by this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 05, 2008 Updated: February 07, 2008
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: December 12, 2007
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 01, 2008
Statement Date: February 01, 2008
Affected
QNX Software Systems has verified that vulnerability VU#110947 is present in products which contain the IPv6 version of the TCP/IP network stack. This issue has been corrected in patch 933-CERT-VU110947 for QNX Momentics 6.3.2 and 6.3.0 SP3 Extended Networking TDK 1.0.1.
Please contact your QNX representative to obtain this patch, or for more information regarding older QNX releases and how to determine if you are using the affected binary.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: January 30, 2008
Statement Date: January 29, 2008
Not Affected
No Borderware products are affected by this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 08, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 01, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 01, 2008
Not Affected
We have investigated and determined that no CA products are vulnerable to this issue.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: March 16, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Debian GNU/Linux is not affected by this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23110947 Feedback>).
Notified: November 30, 2007 Updated: April 29, 2009
Statement Date: April 29, 2009
Not Affected
Extreme Networks products are not vulnerable to this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: November 30, 2007 Updated: April 03, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: December 12, 2007
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 01, 2008
Statement Date: January 28, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 06, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 06, 2008
Statement Date: December 04, 2007
Not Affected
IBM Internet Security Systems does NOT use this code at all in our products. Thus we are not vulnerable to this issue and are unaffected.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 08, 2008
Not Affected
Intotoβs iGateway VPN is not vulnerable to the exploit documented in this vulnerability note, because it is not a derivative of KAME project.
We are not aware of further vendor information regarding this vulnerability.
Updated: February 13, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: December 12, 2007
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 01, 2008
Statement Date: February 01, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 05, 2008
Statement Date: February 05, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: December 12, 2007
Statement Date: December 06, 2007
Not Affected
We have investigated all of our IPv6-capable products, including our Sidewinder SnapGear, and TSP product lines. None of them contain the relevant code or are otherwise affected by the issue.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: December 12, 2007
Statement Date: December 03, 2007
Not Affected
SmoothWall products do not use KAME for their IPSec implementation; they use Linux-based FreeS/WAN code. We are therefore not vulnerable to this exploit.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: February 06, 2008
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Sun can confirm that it is not impacted by this issue described in CERT advisory VU#110947.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23110947 Feedback>).
Notified: November 30, 2007 Updated: December 12, 2007
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: December 12, 2007
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 21, 2008 Updated: January 21, 2008
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: January 21, 2008 Updated: February 01, 2008
Statement Date: January 21, 2008
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 05, 2008 Updated: February 05, 2008
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 05, 2008 Updated: February 05, 2008
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: February 05, 2008 Updated: February 05, 2008
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 30, 2007 Updated: November 30, 2007
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
View all 97 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Thanks to Shoichi Sakane of the KAME project for reporting this vulnerability.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2008-0177 |
---|---|
Severity Metric: | 4.39 Date Public: |
cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1
jvn.jp/cert/JVNVU%23110947/
secunia.com/advisories/28788/
secunia.com/advisories/28816/
www.ietf.org/rfc/rfc3173.txt
www.kame.net/
www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37
www.milw0rm.com/exploits/5191