Wind River Systems, Inc. Information for VU#222750
TCP/IP implementations do not adequately validate ICMP error messages
- Vendor Information Help Date Notified: 12 Aug 2004
- Statement Date:
- Date Updated: 12 Apr 2005
In all releases after VxWorks 5.3 a hard error does not result in TCP aborting the connection. The hard error code is saved by TCP. If the connection is dropped due to a timeout this error code is available to the application. Wind River Network Stack 2.0 already checks the ICMP sequence numbers. The release of VxWorks 6.0 and the MSP updates shipping in the fall of 2004 are based on this stack.
Wind River is planning updates to the VxWorks 5.5 and 5.4 versions of the stack that will include the fix for ICMP. These updates are planned for 2005.
The vendor has not provided us with any further information regarding this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send us email.