Netfilter Information for VU#222750

TCP/IP implementations do not adequately validate ICMP error messages



Vendor Statement

The Linux kernel TCP/IP implementation has always been verifying the TCP sequence number embedded into the ICMP packet, and Linux end hosts are thus not affected by this vulnerability.

As for non-Linux machines protected by a netfilter/iptables firewall: netfilter/iptables did not implement TCP sequence number (aka window) tracking at all until linux-2.6.9.

However, even in linux >= 2.6.9, the check for RELATED ICMP packets does not verify the tcp sequence number of the encapsulated packet.

Implementation of such a check is scheduled for inclusion into the 2.6.11 linux kernel.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.