Fedora Project Information for VU#222750

TCP/IP implementations do not adequately validate ICMP error messages


Not Affected

Vendor Statement

CAN-2004-0790: A blind TCP connection reset by sending

The Linux 2.4 and 2.6 kernels have always verified the TCP sequence number on ICMP errors. In addition Linux kernels will never abort a connection due to a received ICMP packet. All Fedora Core versions are therefore unaffected by this issue.

CAN-2004-0791: A spoofing attack with ICMP type 4 header

The Linux kernel since 2.6.9 and 2.4.28 has included a patch by Dave Miller to ignore ICMP Source Quench messages as recommended by Fernando Gont. Fedora Core 3 shipped with a 2.6.9 kernel which ignores ICMP Source Quench messages. Fedora Core 2 was updated to a 2.6.9 kernel in a November 2004 update and is therefore also unaffected by this issue.

CAN-2004-1060: ICMP path MTU spoofing

Linux 2.4 and 2.6 kernels verify the sequence number on ICMP errors, thus significantly mitigating this issue. This issue can also be mitigated by disabling pmtu discovery if not required (/proc/sys/net/ipv4/ip_no_pmtu_disc)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



Please see http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en.

If you have feedback, comments, or additional information about this vulnerability, please send us email.