lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F7B4DB06AE107245994FAF8527EAB9331DF2B79B@HQMailDAG1.avp.ru>
Date: Tue, 5 Mar 2013 13:04:33 +0000
From: Vulnerability Mailbox <Vulnerability@...persky.com>
To: "Marc Heuse \(mh@...sec.de\)" <mh@...sec.de>,
  "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
  "vuln@...unia.com" <vuln@...unia.com>
CC: "noloader@...il.com" <noloader@...il.com>,
  Full Disclosure <full-disclosure@...ts.grok.org.uk>,
  IPv6 Hackers Mailing List <ipv6hackers@...ts.si6networks.com>,
  Vulnerability Mailbox <Vulnerability@...persky.com>
Subject: RE: [Full-disclosure] Remote system freeze thanks to Kaspersky
 Internet Security 2013 (SA52053)

Hello, Marc, colleagues,
We confirm bug that could result in system freeze existed in kneps system  driver. Private fix is available right now, patch via automatic product update pending release.

Best regards, 

Vulnerability response | Kaspersky Lab
tel: +7 495 7978700 | Vulnerability@...persky.com
Olimpia Park, bld.3, 39A, Lengradskoe sh., Moscow, Russia, 125212 | www.kaspersky.com,  www.securelist.com


-----Original Message-----
From: Jeffrey Walton [mailto:noloader@...il.com] 
Sent: Monday, March 04, 2013 10:04 AM
To: Vulnerability Mailbox; Vulnerability Mailbox
Subject: Fwd: [Full-disclosure] Remote system freeze thanks to Kaspersky Internet Security 2013

---------- Forwarded message ----------
From: Marc Heuse < >
Date: Mon, Mar 4, 2013 at 1:01 AM
Subject: [Full-disclosure] Remote system freeze thanks to Kaspersky Internet Security 2013
To: "bugtraq@...urityfocus.com" < >, Full Disclosure <full-disclosure@...ts.grok.org.uk>, IPv6 Hackers Mailing List <ipv6hackers@...ts.si6networks.com>

I usually do not write security advisories unless absolutely necessary.

This time I should, however I have neither the time, nor the desire to do so.
But Kaspersky did not react, so ... quick and dirty:

Kaspersky Internet Security 2013 (and any other Kaspersky product which includes the firewall funcionality) is susceptible to a remote system freeze.
As of the 3rd March 2013, the bug is still unfixed.

If IPv6 connectivity to a victim is possible (which is always the case on local networks), a fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system.
No log message or warning window is generated, nor is the system able to perform any task.

To test:
  1. download the thc-ipv6 IPv6 protocol attack suite for Linux from
www.thc.org/thc-ipv6
  2. compile the tools with "make"
  3. run the following tool on the target:
        firewall6 <interface> <target> <port> 19
     where interface is the network interface (e.g. eth0)
           target is the IPv6 address of the victim (e.g. ff02::1)
           port is any tcp port, doesnt matter which (e.g. 80)
       and 19 is the test case number.
     The test case numbers 18, 19, 20 and 21 lead to a remote system freeze.

Solution: Remove the Kaspersky Anti-Virus NDIS 6 Filter from all network interfaces or uninstall the Kaspersky software until a fix is provided.

The bug was reported to Kaspersky first on the 21st January 2013, then reminded on the 14th Feburary 2013.
No feedback was given by Kaspersky, and the reminder contained a warning that without feedback the bug would be disclosed on this day. So here we are.

Greets,
Marc Heuse

--
Marc Heuse
www.mh-sec.de

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ