Signature Detail

TCP: Zero Option Length

This protocol anomaly triggers when it detects an option with a specified length of zero (which is invalid). Because this can be an attempt to force a vulnerable TCP stack into an infinite loop, it is recommended to drop these packets.

Extended Description

Roaring Penguin Software's PPPoE is a freeware PPP over Ethernet client often used by ADSL subscribers running Linux or NetBSD. PPPoE contains a possibly remotely exploitable denial of service vulnerability in its handling of TCP packets when the Clamp_MSS option is used. If PPPoE recieves a malformed TCP packet with a "zero-length option", PPPoE will go into an infinite loop. As a result, the ppp connection being supported by PPPoE will time out and be terminated. A manual re-start is needed to regain functionality. This bug has been fixed by Roaring Penguin Software in a new version, see the solutions section.

Affected Products

• Red_hat linux 7.0.0
• Roaring_penguin_software pppoe 2.0.0
• Roaring_penguin_software pppoe 2.1.0
• Roaring_penguin_software pppoe 2.2.0
• Roaring_penguin_software pppoe 2.3.0
• Roaring_penguin_software pppoe 2.4.0

References

• BugTraq: 2098
• CVE: CVE-2001-0026