In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, the length field of the ipsec option header does not count the size of the option header itself, causing an infinite loop when the length is zero. This issue can allow a remote attacker who is able to send an arbitrary packet to cause the machine to crash.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2019/Jun/6 | |
http://www.securityfocus.com/bid/103666 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1040628 | Third Party Advisory VDB Entry |
https://seclists.org/bugtraq/2019/May/77 | |
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc | Vendor Advisory |
https://support.apple.com/kb/HT210090 | |
https://support.apple.com/kb/HT210091 |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: freebsd
Published: 2018-04-04T00:00:00
Updated: 2019-06-20T20:06:04
Reserved: 2018-02-12T00:00:00
Link: CVE-2018-6918
JSON object: View
NVD Information
Status : Modified
Published: 2018-04-04T14:29:00.293
Modified: 2019-10-03T00:03:26.223
Link: CVE-2018-6918
JSON object: View
Redhat Information
No data.
CWE