blob: 642e3a140e015b6ebeb531e190699a2a52dac910 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
Candidate: CVE-2005-4441
References:
BUGTRAQ:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional
URL:http://www.securityfocus.com/archive/1/archive/1/419831/100/0/threaded
BUGTRAQ:20051219 Re: Making unidirectional VLAN and PVLAN jumping bidirectional
URL:http://www.securityfocus.com/archive/1/archive/1/419834/100/0/threaded
FULLDISC:20051219 Making unidirectional VLAN and PVLAN jumping bidirectional
URL:http://lists.grok.org.uk/pipermail/full-disclosure/2005-December/040333.html
Description:
The PVLAN protocol allows remote attackers to bypass network segmentation and
spoof PVLAN traffic via a PVLAN message with a target MAC address that is set
to a gateway router, which causes the packet to be sent to the router, where
the source MAC is modified, aka "Modification of the MAC spoofing PVLAN
jumping attack," as demonstrated by pvlan.c.
Notes:
Quoting Horms:
I've taken a quick look at this. I don't think that 1. (VLAN jumping) effects
Linux because of the following line near the bottom of vlan_skb_recv().
.
skb->protocol = __constant_htons(ETH_P_802_2);
.
I'm looking at Linus' Git tree as of this morning,
but I don't think there have been any relevnant changes
since Git began at 2.6.12-rc2.
.
This seems to imply that further processing will treat the packet
as an ethernet frame. Though I need to double check that it
can't be passed back into the vlan code. I'm doing that now,
but in about 15 minutes I have to leave, and I'll be on
leave for 6 days. At home, and possibly looking into this problem,
but not at my desk working sensible hours.
.
As for 2 (PVLAN jumping). I haven't looked into that yet but
it seems quite plausible.
.
dannf> Horms believes these to be protocol bugs - they are legal
dannf> things to do. Therefore, we're gonna ignore them for the sarge2
dannf> series of kernels & follow what upstream does.
Bugs:
upstream:
linux-2.6:
2.6.8-sarge-security: ignored (2.6.8-16sarge5)
2.4.27-sarge-security: ignored (2.4.27-10sarge4)
2.6.18-etch-security:
|