An attacker can create specially crafted and fragmented IGMPv3 query report, which may result in the victim transmitting undefined buffer content. The IGMPv3 reception handler does not expect packets to be spread across multiple IP fragments. A prerequisite for exploiting this vulnerability is that the victim system has at least one IPv4 multicast address assigned. That prerequisite is almost always fulfilled, as all multicast-capable hosts are required to listen to the all-multicast-hosts address, 224.0.0.1. Attacks against link local multicast addresses, such as 224.0.0.1, allow an attacker on the LAN to make the victim system transmit data to the network that has not been properly set. Specifically, the data transmitted from the network might be information from packets previously received or sent by the network stack.
Tag: IGMP
ASA-2019-00499 – Wind River VxWorks: Denial of Service (DoS) via NULL dereference in IGMP parsing
This vulnerability require that the TCP/IP-stack is assigned a multicast address the API intended for assigning unicast addresses or something with the same logical flaw is a prerequisite. This vulnerability requires that at least one IPv4 multicast address has been assigned to the target in an incorrect way, i.e., using the API intended for assigning unicast addresses. It is not possible to exploit for multicast addresses added with the proper API, i.e., setsockopt(). An attacker may use CVE-2019-12264 to incorrectly assign a multicast IP address. An attacker on the same LAN as the victim system may use this vulnerability to cause a NULL pointer dereference, which most likely will crash the tNet0 task.