#VU40881 Input validation error
Vulnerability identifier: #VU40881
Vulnerability risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
pfsense
Server applications /
IDS/IPS systems, Firewalls and proxy servers
Debian Linux
Operating systems & Components /
Operating system
FreeBSD
Operating systems & Components /
Operating system
Vendor:
Rubicon Communications
Debian
FreeBSD Foundation
Description
The vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
pfsense: 2.2.1
Debian Linux: 2.2.1 - 7.0
FreeBSD: 2.2.1 - 10.1
External links
http://www.debian.org/security/2015/dsa-3175
http://www.securityfocus.com/bid/72777
http://www.securitytracker.com/id/1031798
http://kc.mcafee.com/corporate/index?page=content&id=SB10107
http://www.freebsd.org/security/advisories/FreeBSD-SA-15:04.igmp.asc
http://www.pfsense.org/security/advisories/pfSense-SA-15_02.igmp.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
