WatchGuard Information for VU#471084

Linux kernel IP stack incorrectly calculates size of an ICMP citation for ICMP errors



Vendor Statement

We have done further analysis in conjunction w/ the reporter and have found the following.

Our earlier tests conducted with a tool supplied by the reporter indicated that the information leak was limited to 18 bytes every 30 seconds. We have done further analysis in conjunction w/ the reporter using a different tool and have found the following:

Each instance of an attack would generate a copy of whatever was in the effected buffer. Unless the size of the ICMP payload changes from request to request it'll copy the same address in memory over and over again sending out whatever happens to be in that buffer at that instant. In our testing we observed that much of the data being leaked is the same. As the size of the payload changes, so does the address range within this buffer that the vulnerability effects.

We expect to have the fix available to customers by August 6th through WatchGuard's regular software distribution channels.

Please direct any questions regarding this or any other security issue with WatchGuard products to

Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.