[Japanese]

JVNDB-2014-000134

BSD Operating Systems vulnerable to denial-of-service (DoS)

Overview

BSD operating systems contain an issue in the handling of the TCP session timer, which may lead to a denial-of-service (DoS) vulnerability.

Hiroki Takakura reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial

Affected Products

Operating systems that implement the BSD IP stack based on Net/2 are affected by this vulnerability.

FreeBSD version 5.4 has been confirmed to be vulnerable.

FreeBSD Project.
  • FreeBSD

Impact

When a sepcially crafted packet from a malicious server is received, a condition where client resources are not released may occur. As a result, clients using an OS listed under "Affected Systems" may be vulnerable to a denial-of-service (DoS) attack.
Solution

[Apply an Update]
Update to the latest version according to the information provided by the OS developer or distributor.
Vendor Information

FreeBSD Project. NetBSD Foundation, Inc. OpenBSD
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-7250
References

  1. JVN : JVN#07930208
  2. National Vulnerability Database (NVD) : CVE-2014-7250
Revision History

[2014/11/21]
  Web page was published
[2014/11/27]
  Overview was modified
[2014/12/16]
  References : Content was added