SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#471084

Linux kernel IP stack incorrectly calculates size of an ICMP citation for ICMP errors

Overview

The Linux 2.0 kernel contains a vulnerability in the way it processes ICMP errors. This could lead to portions of memory being leaked to a malicious user.

I. Description

The Linux 2.0 kernel (versions 2.0 through 2.0.39 inclusive) contains an error in the calculation of the size for an ICMP citation. A citation is created for ICMP error responses. This miscalculation may lead to random data stored in memory being returned in the response.

This vulnerability could be used by an attacker to gain sensitive information about the system, which may aid in an attack.

II. Impact

Sensitive information may be leaked to an attacker.

III. Solution

Upgrade or apply a patch as necessary. Please see the vendor Section to determine if your product is vulnerable.

Systems Affected

VendorStatusDate Updated
Check PointNot Vulnerable3-Jun-2003
ClavisterNot Vulnerable3-Jun-2003
FujitsuNot Vulnerable26-Jun-2003
HitachiNot Vulnerable11-Jun-2003
Ingrian NetworksNot Vulnerable3-Jun-2003
NetscreenNot Vulnerable3-Jun-2003
NovellNot Vulnerable3-Jun-2003
Secure Computing CorporationNot Vulnerable26-Jun-2003
StonesoftNot Vulnerable3-Jun-2003
Sun Microsystems Inc.Not Vulnerable3-Jun-2003
Symantec CorporationNot Vulnerable3-Jun-2003
WatchGuardVulnerable14-Oct-2003

References


http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt
http://www.secunia.com/advisories/8991/
http://www.iss.net/security_center/static/12223.php

Credit

Thanks to Philippe Biondi of Cartel Security for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

Date Public06/09/2003
Date First Published06/09/2003 11:34:14 AM
Date Last Updated10/14/2003
CERT Advisory 
CVE-ID(s) 
NVD-ID(s) 
US-CERT Technical Alerts 
Metric1.37
Document Revision5

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader