Red Hat, Inc. Information for VU#222750
TCP/IP implementations do not adequately validate ICMP error messages
CAN-2004-0790: A blind TCP connection reset
Red Hat Enterprise Linux 2.1 and 3 kernels have always verified the TCP sequence number on ICMP errors. In addition Linux kernels will never abort a connection due to a received ICMP packet. All Red Hat Enterprise Linux versions are therefore unaffected by this issue.
CAN-2004-0791: A spoofing attack with ICMP type 4 header
Red Hat Enterprise Linux 2.1 and 3 kernels prior to January 2005 honour ICMP Source Quench messages, although the TCP sequence number is checked which substantially increases the amount of effort an attacker would need to be able to cause a sucessful attack. ICMP Source Quench messages were disabled completely by the following updates:
CAN-2004-1060: ICMP path MTU spoofing
Red Hat Enterprise Linux 2.1 and 3 kernels verify the sequence number on ICMP errors, thus significantly mitigating this issue. This issue can also be mitigated by disabling pmtu discovery if not required (/proc/sys/net/ipv4/ip_no_pmtu_disc)
The vendor has not provided us with any further information regarding this vulnerability.
Please see http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.
If you have feedback, comments, or additional information about this vulnerability, please send us email.