Vulnerability Note VU#222750

TCP/IP implementations do not adequately validate ICMP error messages

Original Release date: 13 Apr 2005 | Last revised: 22 Apr 2008

Overview

Multiple TCP/IP implementations do not adequately validate ICMP error messages. A remote attacker could cause TCP connections to drop or be degraded using spoofed ICMP error messages.

Description

A number of widely accepted Internet standards describe different aspects of the relationships between the Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP). In particular, RFC 1122 explains how TCP should respond to ICMP messages: 


4.2.3.9  ICMP Messages

            TCP MUST act on an ICMP error message passed up from the IP
            layer, directing it to the connection that created the
            error.  The necessary demultiplexing information can be
            found in the IP header contained within the ICMP message.

            o    Source Quench

                 TCP MUST react to a Source Quench by slowing
                 transmission on the connection.  The RECOMMENDED
                 procedure is for a Source Quench to trigger a "slow
                 start," as if a retransmission timeout had occurred.

            o    Destination Unreachable -- codes 0, 1, 5

                 Since these Unreachable messages indicate soft error
                 conditions, TCP MUST NOT abort the connection, and it
                 SHOULD make the information available to the
                 application.

                 DISCUSSION:
                      TCP could report the soft error condition directly
                      to the application layer with an upcall to the
                      ERROR_REPORT routine, or it could merely note the
                      message and report it to the application only when
                      and if the TCP connection times out.

            o    Destination Unreachable -- codes 2-4

                 These are hard error conditions, so TCP SHOULD abort
                 the connection.

            o    Time Exceeded -- codes 0, 1

                 This should be handled the same way as Destination
                 Unreachable codes 0, 1, 5 (see above).

            o    Parameter Problem

                 This should be handled the same way as Destination
                 Unreachable codes 0, 1, 5 (see above).

An ICMP message contains the IP header and the first 8 bytes of the transport layer (TCP) segment that caused the error condition (this covers IP and TCP header information). In order to match an ICMP message to a TCP connection, TCP stack implementations generally match the source and destination TCP port and IP address four-tuple from the data returned in the ICMP message. An attacker who knows or can guess this four-tuple can create spoofed ICMP messages. By setting ICMP types and codes to indicate hard or soft error conditions, the attacker may be able to cause valid TCP connections to be reset or degraded. An attacker may also be able to take advantage of path MTU discovery functionality by spoofing ICMP type 3 (Destination Unreachable) code 4 (Fragmentation Needed but Don't Fragment Bit Set) messages and lowering the MTU for a connection (this is described in section 8 of RFC 1191).

Note that any protocols that use path MTU discovery and state-based transport layer protocols other than TCP could also be affected.

Further details about this vulnerability are available in an IETF Internet Draft titled "ICMP attacks against TCP" authored by Fernando Gont.

Impact

A remote attacker could cause TCP connections to drop or be degraded using spoofed ICMP error messages. Applications that depend on on long-lived, low latency, or high throughput TCP connections may not function correctly on a degraded TCP connection. In order to spoof an ICMP message, an attacker would need to know or guess the source and destination TCP port and IP address four-tuple. The Border Gateway Protocol (BGP) is of paticular concern since it relies on long-lived TCP connections (VU#415294), uses well-known source and destination ports, provides critical network and Internet routing information, and may require a non-trivial period of time to recover from a sustained attack.

Solution

Upgrade or apply a patch
Upgrade or apply a patch according to vendor instructions. Note that changes made by upgrades or patches may not completely defend against spoofed ICMP attacks. Consult vendor documentation for information on changes to ICMP message handling. Consider the general and attack-specific countermeasures discussed in the Gont I-D. Some of the countermesures include validating TCP sequence and acknowledgement numbers contained in ICMP messages, improving TCP ephemeral port number randomization, changing the response to or ignoring certain ICMP messages, and delaying connection resets. Note that different countermeasures have different constraints and may negatively impact TCP operations.

Filter ICMP messages

Filter ICMP messages based on type and code at network borders. Allow only ICMP messages that are necessary for proper operation.

IPsec and TCP MD5

Note that TCP MD5 does not provide authentication for ICMP messages. Current IPsec specifications do not define how IPsec implementations should handle ICMP messages destined for authenticated TCP connections.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
AlcatelAffected12 Aug 200408 Sep 2005
Allied Telesyn InternationalAffected-29 Apr 2005
Cisco Systems, Inc.Affected12 Aug 200412 Apr 2005
Extreme NetworksAffected12 Aug 200421 Apr 2005
F5 Networks, Inc.Affected12 Aug 200403 May 2005
Hewlett-Packard CompanyAffected12 Aug 200408 Sep 2005
HitachiAffected12 Aug 200408 Sep 2005
IBM CorporationAffected12 Aug 200412 Apr 2005
Juniper Networks, Inc.Affected12 Aug 200405 May 2005
Microsoft CorporationAffected12 Aug 200429 Apr 2005
NetfilterAffected12 Aug 200429 Apr 2005
Network ApplianceAffected12 Aug 200411 Apr 2005
Nortel Networks, Inc.Affected12 Aug 200408 Sep 2005
OpenBSDAffected12 Aug 200421 Apr 2005
Red Hat, Inc.Affected12 Aug 200412 Apr 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Information about the security risks of ICMP messages has been known for some time (RFC 1191 was published in 1990). More recent work by Fernando Gont (Universidad Tecnológica Nacional - Facultad Regional Haedo) describes different types of ICMP attacks against TCP and proposes a number of defense techniques. Gont's research is documented in an IETF Internet Draft titled "ICMP attacks against TCP" (revision 3 as of this writing). Jonathan Looney researched and reported a specific ICMP attack that affects TCP connections on Microsoft Windows systems.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 12 Apr 2005
  • Date First Published: 13 Apr 2005
  • Date Last Updated: 22 Apr 2008
  • Severity Metric: 12.48
  • Document Revision: 90

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.