CVE-2018-6918

In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, the length field of the ipsec option header does not count the size of the option header itself, causing an infinite loop when the length is zero. This issue can allow a remote attacker who is able to send an arbitrary packet to cause the machine to crash.
Infinite Loop
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
freebsdCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
freebsdfreebsd
10.0 ≤
𝑥
< 10.4
freebsdfreebsd
11.0 ≤
𝑥
< 11.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://seclists.org/fulldisclosure/2019/Jun/6
http://www.securityfocus.com/bid/103666
http://www.securitytracker.com/id/1040628
https://seclists.org/bugtraq/2019/May/77
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc
https://support.apple.com/kb/HT210090
https://support.apple.com/kb/HT210091
http://seclists.org/fulldisclosure/2019/Jun/6
http://www.securityfocus.com/bid/103666
http://www.securitytracker.com/id/1040628
https://seclists.org/bugtraq/2019/May/77
https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc
https://support.apple.com/kb/HT210090
https://support.apple.com/kb/HT210091