search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Linux kernel IP stack incorrectly calculates size of an ICMP citation for ICMP errors

Vulnerability Note VU#471084

Original Release Date: 2003-06-09 | Last Revised: 2003-10-14

Overview

The Linux 2.0 kernel contains a vulnerability in the way it processes ICMP errors. This could lead to portions of memory being leaked to a malicious user.

Description

The Linux 2.0 kernel (versions 2.0 through 2.0.39 inclusive) contains an error in the calculation of the size for an ICMP citation. A citation is created for ICMP error responses. This miscalculation may lead to random data stored in memory being returned in the response.

This vulnerability could be used by an attacker to gain sensitive information about the system, which may aid in an attack.

Impact

Sensitive information may be leaked to an attacker.

Solution

Upgrade or apply a patch as necessary. Please see the vendor Section to determine if your product is vulnerable.

Vendor Information

471084
Expand all

WatchGuard

Updated:  October 14, 2003

Status

  Vulnerable

Vendor Statement

We have done further analysis in conjunction w/ the reporter and have found the following.

Our earlier tests conducted with a tool supplied by the reporter indicated that the information leak was limited to 18 bytes every 30 seconds. We have done further analysis in conjunction w/ the reporter using a different tool and have found the following:

Each instance of an attack would generate a copy of whatever was in the effected buffer. Unless the size of the ICMP payload changes from request to request it'll copy the same address in memory over and over again sending out whatever happens to be in that buffer at that instant. In our testing we observed that much of the data being leaked is the same. As the size of the payload changes, so does the address range within this buffer that the vulnerability effects.

We expect to have the fix available to customers by August 6th through WatchGuard's regular software distribution channels.

Please direct any questions regarding this or any other security issue with WatchGuard products to


Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc.
++++++++++++++++++++++++++

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

Check Point Software does not and has never supported the Linux 2.0 kernel, thus no versions of Check Point products are affected by this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clavister

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

Clavister Firewall: Not vulnerable

Clavister Firewall uses its own self-contained operating system and is, as such, not affected by Linux bugs.

It can, however, protect vulnerable linux machines by blocking ICMP errors and stripping the "Don't Fragment" bit of all packets that pass through it to avoid the Path MTU Discovery "black holes" that otherwise result from blocking ICMP errors.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Updated:  June 26, 2003

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#471084.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Updated:  June 11, 2003

Status

  Not Vulnerable

Vendor Statement

NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

Ingrian Networks products are not vulnerable to VU#471084.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netscreen

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

NetScreen is not vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

Novell has no products supported on the affected Linux kernel versions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation

Updated:  June 26, 2003

Status

  Not Vulnerable

Vendor Statement

The Sidewinder, Sidewinder G2, and Gauntlet firewalls are not based on Linux, and are thus not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Stonesoft

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

Stonesoft's StoneGate high availability firewall and VPN product does not use the vulnerable version of Linux kernel and is thus not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

Sun is not vulnerable to this issue. None of our currently supported products use the 2.0.x series of Linux kernels. All of our current products use the 2.2.x or 2.4.x series of kernels.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec Corporation

Updated:  June 03, 2003

Status

  Not Vulnerable

Vendor Statement

We have evaluated our products and determined that none embed or has dependances on the vulnerable Linux kernel versions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Philippe Biondi of Cartel S e curity for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: None
Severity Metric: 1.37
Date Public: 2003-06-09
Date First Published: 2003-06-09
Date Last Updated: 2003-10-14 17:40 UTC
Document Revision: 5

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.