Netfilter Information for VU#222750
TCP/IP implementations do not adequately validate ICMP error messages
The Linux kernel TCP/IP implementation has always been verifying the TCP sequence number embedded into the ICMP packet, and Linux end hosts are thus not affected by this vulnerability.
As for non-Linux machines protected by a netfilter/iptables firewall: netfilter/iptables did not implement TCP sequence number (aka window) tracking at all until linux-2.6.9.
However, even in linux >= 2.6.9, the check for RELATED ICMP packets does not verify the tcp sequence number of the encapsulated packet.
Implementation of such a check is scheduled for inclusion into the 2.6.11 linux kernel.
The vendor has not provided us with any further information regarding this vulnerability.
US-CERT has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.