The extension parser in slp_v2message.c in OpenSLP 1.2.1, and other versions before SVN revision 1647, as used in Service Location Protocol daemon (SLPD) in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, allows remote attackers to cause a denial of service (infinite loop) via a packet with a "next extension offset" that references this extension or a previous extension. NOTE: some of these details are obtained from third party information.

The remote host is affected by the vulnerability described in GLSA-201707-05 (OpenSLP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in OpenSLP. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition or       have other unspecified impacts.
  Workaround :

    There is no known workaround at this time.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries :

  - bind
  - pam
  - popt
  - rpm
  - rpm-libs
  - rpm-python
  - Service Location Protocol daemon (SLPD)

Several issues have been found and solved in OpenSLP, that implements the Internet Engineering Task Force (IETF) Service Location Protocol standards protocol.

CVE-2010-3609

Remote attackers could cause a Denial of Service in the Service Location Protocol daemon (SLPD) via a crafted packet with a 'next extension offset'.

CVE-2012-4428

Georgi Geshev discovered that an out-of-bounds read error in the SLPIntersectStringList() function could be used to cause a DoS.

CVE-2015-5177

A double free in the SLPDProcessMessage() function could be used to cause openslp to crash.

For Debian 6 'Squeeze', these problems have been fixed in openslp-dfsg version 1.2.1-7.8+deb6u1.

We recommend that you upgrade your openslp-dfsg packages.

Learn more about the Debian Long Term Support (LTS) Project and how to apply these updates at: https://wiki.debian.org/LTS/

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

openslp: denial of service vulnerability (CVE-2010-3609)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

the openslp daemon could run into an endless loop when receiving specially crafted packets (CVE-2010-3609).

Updated openslp packages fix security vulnerability :

The extension parser in slp_v2message.c in OpenSLP 1.2.1 allows remote attackers to cause a denial of service (infinite loop) via a packet with a next extension offset that references this extension or a previous extension (CVE-2010-3609).

A vulnerability has been discovered and corrected in openslp :

The extension parser in slp_v2message.c in OpenSLP 1.2.1 allows remote attackers to cause a denial of service (infinite loop) via a packet with a next extension offset that references this extension or a previous extension (CVE-2010-3609).

The updated packages have been patched to correct this issue.

It was discovered that OpenSLP incorrectly handled certain corrupted messages. A remote attacker could send a specially crafted packet to the OpenSLP server and cause it to hang, leading to a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

a. Service Location Protocol daemon DoS

   This patch fixes a denial-of-service vulnerability in    the Service Location Protocol daemon (SLPD). Exploitation of this    vulnerability could cause SLPD to consume significant CPU    resources.

   VMware would like to thank Nicolas Gregoire and US CERT for    reporting this issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-3609 to this issue.

b. Service Console update for bind

   This patch updates the bind-libs and bind-utils RPMs to version    9.3.6-4.P1.el5_5.3, which resolves multiple security issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3613, CVE-2010-3614, and    CVE-2010-3762 to these issues.

c. Service Console update for pam

   This patch updates the pam RPM to pam_0.99.6.2-3.27.5437.vmw,    which resolves multiple security issues with PAM modules.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3316, CVE-2010-3435, and    CVE-2010-3853 to these issues.

d. Service Console update for rpm, rpm-libs, rpm-python, and popt

   This patch updates rpm, rpm-libs, and rpm-python RPMs to    4.4.2.3-20.el5_5.1, and popt to version 1.10.2.3-20.el5_5.1,    which resolves a security issue.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-2059 to this issue.

The openslp daemon could run into an endless loop when receiving specially crafted packets (CVE-2010-3609). This has been fixed.

Additionally the following non-security bugs were fixed :

  - 564504: Fix handling of DA answers if both active and     passive DA detection is off

  - 597215: Add configuration options to openSLP:
    net.slp.DASyncReg makes slpd query statically configured     DAs for registrations, net.slp.isDABackup enables     periodic writing of remote registrations to a backup     file which is also read on startup. Both options can be     used to decrease the time between the start of the slpd     daemon and slpd knowing all registrations.

  - 601002: reduce CPU usage spikes on machines with many     connections by using the kernel netlink interface     instead of reading the /proc filesystem.

  - 626444: Standard compliance was fixed by stripping     leading and trailing white spaces when doing string     comparisons of scopes.

The openslp daemon could run into an endless loop when receiving specially crafted packets. (CVE-2010-3609)

Additionally the following non-security bugs were fixed :

  - 564504: Fix handling of DA answers if both active and     passive DA detection is off

  - 597215: Add configuration options to openSLP:
    net.slp.DASyncReg makes slpd query statically configured     DAs for registrations, net.slp.isDABackup enables     periodic writing of remote registrations to a backup     file which is also read on startup. Both options can be     used to decrease the time between the start of the slpd     daemon and slpd knowing all registrations.

  - 601002: reduce CPU usage spikes on machines with many     connections by using the kernel netlink interface     instead of reading the /proc filesystem.

  - 626444: Standard compliance was fixed by stripping     leading and trailing white spaces when doing string     comparisons of scopes.

The openslp daemon could run into an endless loop when receiving specially crafted packets (CVE-2010-3609). This has been fixed.

Additionally the following non-security bugs were fixed :

  - This openSLP update extends the net.slp.isDABackup     mechanism introduced with the previous update by a new     configuration option 'DABackupLocalReg'.

  - This option tells the openslp server to also backup     local registrations. (bnc#597215)

  - In addition, standard compliance was fixed by stripping     leading and trailing white spaces when doing string     comparisons of scopes.

ID	Name	Product	Family	Severity
101336	GLSA-201707-05 : OpenSLP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
89675	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0004) (remote check)	Nessus	Misc.	high
85769	Debian DLA-304-1 : openslp-dfsg security update	Nessus	Debian Local Security Checks	high
83890	Fedora 20 : openslp-1.2.1-22.fc20 (2015-7561)	Nessus	Fedora Local Security Checks	medium
75689	openSUSE Security Update : openslp (openSUSE-SU-2010:0992-1)	Nessus	SuSE Local Security Checks	medium
66123	Mandriva Linux Security Advisory : openslp (MDVSA-2013:111)	Nessus	Mandriva Local Security Checks	medium
61986	Mandriva Linux Security Advisory : openslp (MDVSA-2012:141)	Nessus	Mandriva Local Security Checks	medium
55076	Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openslp, openslp-dfsg vulnerability (USN-1118-1)	Nessus	Ubuntu Local Security Checks	medium
53785	openSUSE Security Update : openslp (openSUSE-SU-2010:0992-1)	Nessus	SuSE Local Security Checks	medium
53685	openSUSE Security Update : openslp (openSUSE-SU-2010:0992-1)	Nessus	SuSE Local Security Checks	medium
52582	VMSA-2011-0004 : VMware ESX/ESXi SLPD denial of service vulnerability and ESX third-party updates for Service Console packages bind, pam, and rpm.	Nessus	VMware ESX Local Security Checks	high
51628	SuSE 11.1 Security Update : openSLP (SAT Patch Number 3312)	Nessus	SuSE Local Security Checks	medium
50954	SuSE 11 Security Update : openslp (SAT Patch Number 3317)	Nessus	SuSE Local Security Checks	medium
50842	SuSE 10 Security Update : openslp (ZYPP Patch Number 7187)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2010-3609

high

Tenable Plugins

critical

high

high

medium

medium

medium

medium

medium

medium

medium

high

medium

medium

medium