CVE-2018-6918 Information

Description

In FreeBSD before 11.1-STABLE 11.1-RELEASE-p9 10.4-STABLE 10.4-RELEASE-p8 and 10.3-RELEASE-p28 the length field of the ipsec option header does not count the size of the option header itself causing an infinite loop when the length is zero. This issue can allow a remote attacker who is able to send an arbitrary packet to cause the machine to crash.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

http://seclists.org/fulldisclosure/2019/Jun/6 http://www.securityfocus.com/bid/103666 http://www.securitytracker.com/id/1040628 https://seclists.org/bugtraq/2019/May/77 https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc https://support.apple.com/kb/HT210090 https://support.apple.com/kb/HT210091

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5