Red Hat, Inc. Information for VU#222750

TCP/IP implementations do not adequately validate ICMP error messages

Status

Affected

Vendor Statement

CAN-2004-0790: A blind TCP connection reset

Red Hat Enterprise Linux 2.1 and 3 kernels have always verified the TCP sequence number on ICMP errors. In addition Linux kernels will never abort a connection due to a received ICMP packet. All Red Hat Enterprise Linux versions are therefore unaffected by this issue.

CAN-2004-0791: A spoofing attack with ICMP type 4 header

Red Hat Enterprise Linux 2.1 and 3 kernels prior to January 2005 honour ICMP Source Quench messages, although the TCP sequence number is checked which substantially increases the amount of effort an attacker would need to be able to cause a sucessful attack. ICMP Source Quench messages were disabled completely by the following updates:


CAN-2004-1060: ICMP path MTU spoofing

Red Hat Enterprise Linux 2.1 and 3 kernels verify the sequence number on ICMP errors, thus significantly mitigating this issue. This issue can also be mitigated by disabling pmtu discovery if not required (/proc/sys/net/ipv4/ip_no_pmtu_disc)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

Please see http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.

If you have feedback, comments, or additional information about this vulnerability, please send us email.