blob: 4c89f97259e56933e1b0b02bb3a856f98c293ba0 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
Candidate: CVE-2005-4440
References:
http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
Description:
The 802.1q VLAN protocol allows remote attackers to bypass network segmentation and spoof VLAN traffic
via a message with two 802.1q tags, which causes the second tag to be redirected from a downstream
switch after the first tag has been stripped, as demonstrated by Yersinia, aka "double-tagging VLAN
jumping attack."
Notes:
Quoting Horms:
I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
Linux because of the following line near the bottom of vlan_skb_recv().
.
skb->protocol = __constant_htons(ETH_P_802_2);
.
I'm looking at Linus' Git tree as of this morning,
but I don't think there have been any relevnant changes
since Git began at 2.6.12-rc2.
.
This seems to imply that further processing will treat the packet
as an ethernet frame. Though I need to double check that it
can't be passed back into the vlan code. I'm doing that now,
but in about 15 minutes I have to leave, and I'll be on
leave for 6 days. At home, and possibly looking into this problem,
but not at my desk working sensible hours.
.
As for 2 (PVLAN jumping). I haven't looked into that yet but
it seems quite plausible.
.
dannf> Horms believes these to be protocol bugs - they are legal
dannf> things to do. Therefore, we're gonna ignore them for the sarge2
dannf> series of kernels & follow what upstream does.
Bugs:
upstream:
linux-2.6:
2.6.8-sarge-security: ignored (2.6.8-16sarge5)
2.4.27-sarge-security: ignored (2.4.27-10sarge4)
2.6.18-etch-security:
|