BID:13124

Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities

Info

Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities

Bugtraq ID:	13124
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2004-1060 CVE-2004-0791 CVE-2004-0790 CVE-2005-0068 CVE-2005-0067 CVE-2005-0066 CVE-2005-0065
Remote:	Yes
Local:	No
Published:	Apr 12 2005 12:00AM
Updated:	Dec 08 2006 07:54PM
Credit:	Discovery of these issues is credited to Fernando Gont.
Vulnerable:	Windriver BSD/OS 5.0 Windriver BSD/OS 4.3.1 Windriver BSD/OS 4.2 WatchGuard SOHO Firewall 5.0.35 WatchGuard SOHO Firewall 5.0.31 WatchGuard SOHO Firewall 5.0.29 WatchGuard SOHO Firewall 5.0.28 WatchGuard SOHO Firewall 2.2.1 WatchGuard SOHO Firewall 2.1.3 WatchGuard SOHO Firewall 1.6 WatchGuard SOHO 2.2 WatchGuard ServerLock 2.0.4 WatchGuard ServerLock 2.0.3 WatchGuard ServerLock 2.0.2 WatchGuard ServerLock 2.0.1 WatchGuard ServerLock 2.0 WatchGuard FireboxII Firmware 4.6 WatchGuard FireboxII Firmware 4.5 WatchGuard FireboxII Firmware 4.4 WatchGuard FireboxII Firmware 4.3 WatchGuard FireboxII Firmware 4.2 WatchGuard FireboxII Firmware 4.1 WatchGuard FireboxII Firmware 4.0 WatchGuard Firebox V80 WatchGuard Firebox V60 WatchGuard Firebox V100 WatchGuard Firebox V10 WatchGuard Firebox II 4.5 WatchGuard Firebox II 4.1 WatchGuard Firebox Firmware 6.0 .b1140 WatchGuard Firebox Firmware 5.0 WatchGuard Firebox 4500 4.6 WatchGuard Firebox 4500 4.5 WatchGuard Firebox 2500 4.6 WatchGuard Firebox 2500 4.5 Symantec VelociRaptor 1300 1.5 Symantec VelociRaptor 1200 1.5 Symantec VelociRaptor 1100 1.5 Symantec Nexland Pro800turbo Firewall Appliance Symantec Nexland Pro800 Firewall Appliance Symantec Nexland Pro400 Firewall Appliance Symantec Nexland Pro100 Firewall Appliance Symantec Nexland ISB SOHO Firewall Appliance Symantec Gateway Security 5400 2.0.1 Symantec Gateway Security 5400 2.0 Symantec Gateway Security 5310 1.0 Symantec Gateway Security 5300 1.0 Symantec Gateway Security 460R Symantec Gateway Security 460 Symantec Gateway Security 440 Symantec Gateway Security 420 0 Symantec Gateway Security 360R 2.1 Build 415 Symantec Gateway Security 360R 2.1 Build 300 Symantec Gateway Security 360R Symantec Gateway Security 360 Symantec Gateway Security 320 Symantec Firewall/VPN Appliance 200R Symantec Firewall/VPN Appliance 200 Symantec Firewall/VPN Appliance 100 Symantec Enterprise Firewall 8.0 Solaris Symantec Enterprise Firewall 8.0 NT/2000 Symantec Enterprise Firewall 7.0.4 Solaris Symantec Enterprise Firewall 7.0.4 NT/2000 Symantec Enterprise Firewall 7.0 Solaris Symantec Enterprise Firewall 7.0 NT/2000 Sun Solaris 9_x86 Sun Solaris 9 Sun Solaris 8_x86 Sun Solaris 8_sparc Sun Solaris 7.0_x86 Sun Solaris 7.0 Sun Solaris 10_x86 Sun Solaris 10 SCO Unixware 7.1.4 SCO Unixware 7.1.3 SCO Open Server 6.0 SCO Open Server 5.0.7 SCO Open Server 5.0.6 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux AS 2.1 Redhat Desktop 3.0 Redhat Advanced Workstation for the Itanium Processor 2.1 IA64 Redhat Advanced Workstation for the Itanium Processor 2.1 RedBack Networks AOS OpenBSD OpenBSD 2.9 OpenBSD OpenBSD 2.8 OpenBSD OpenBSD 2.7 OpenBSD OpenBSD 2.6 OpenBSD OpenBSD 2.5 OpenBSD OpenBSD 2.4 OpenBSD OpenBSD 2.3 OpenBSD OpenBSD 2.2 OpenBSD OpenBSD 2.1 OpenBSD OpenBSD 2.0 OpenBSD OpenBSD 3.7 OpenBSD OpenBSD 3.6 OpenBSD OpenBSD 3.5 OpenBSD OpenBSD 3.4 OpenBSD OpenBSD 3.3 OpenBSD OpenBSD 3.2 OpenBSD OpenBSD 3.1 OpenBSD OpenBSD 3.0 Nortel Networks WLAN Access Point 7250.0 Nortel Networks WLAN Access Point 7220.0 Nortel Networks VPN Router Nortel Networks Univity - BSSM Nortel Networks UMTS Nortel Networks Shasta Router Nortel Networks Preside - MDM Nortel Networks Passport 7000 Nortel Networks Passport 6000 Nortel Networks Passport 20000 Nortel Networks Passport 15000 Nortel Networks Passport 1100/1150/1200/1250 Nortel Networks Optivity Network Management System Nortel Networks Optera Nortel Networks Multiservice Access Switch 4400 Nortel Networks Multiprotocol Router Family PP5430 Nortel Networks Multiprotocol Router Family PP2430 Nortel Networks Multiprotocol Router Family BLN Nortel Networks Multiprotocol Router Family BCN Nortel Networks Multiprotocol Router Family ASN Nortel Networks Multiprotocol Router Family ARN Nortel Networks Multiprotocol Router Family ANH Nortel Networks Multiprotocol Router Family AN Nortel Networks GSM Nortel Networks Ethernet Routing Switch Passport 8300 Nortel Networks Ethernet Routing Switch 8600 Nortel Networks Baystack BPS2000/460/470 Switch Nortel Networks Baystack 5510/5520 Switch Nortel Networks Baystack 420/425/325 Switch Nortel Networks Baystack 380-24T Switch Nortel Networks BayRS Nortel Networks Application Switch Nortel Networks Alteon Switched Firewall 5100 NetAppliance NetCache C630 3.3.1 Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP2 Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP Gold 0 Microsoft Windows XP 64-bit Edition Version 2003 SP1 Microsoft Windows XP 64-bit Edition Version 2003 Microsoft Windows XP 0 Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Enterprise Edition Itanium SP1 Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter x64 Edition Microsoft Windows Server 2003 Datacenter Edition Itanium SP1 Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Professional SP2 Microsoft Windows 2000 Professional SP1 Microsoft Windows 2000 Professional Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Juniper T-series Router T640 Juniper T-series Router T320 Juniper M-series Router M5 Juniper M-series Router M40e Juniper M-series Router M40 Juniper M-series Router M20 Juniper M-series Router M160 Juniper M-series Router M10 IBM AIX 5.3 L IBM AIX 5.2 L IBM AIX 5.1 L IBM AIX 5.3 IBM AIX 5.2 IBM AIX 5.1 HP Tru64 5.1 B-3 HP Tru64 5.1 B-2 PK4 HP Tru64 5.1 A PK HP Tru64 4.0 G PK4 HP Tru64 4.0 F PK8 HP TOUR 2.0 HP HP-UX B.11.23 HP HP-UX B.11.22 HP HP-UX B.11.11 HP HP-UX B.11.04 HP HP-UX B.11.00 F5 BIG-IP 9.0.5 F5 BIG-IP 9.0.4 F5 BIG-IP 9.0.3 F5 BIG-IP 9.0.2 F5 BIG-IP 9.0.1 F5 BIG-IP 9.0 F5 BIG-IP 4.6.5 F5 BIG-IP 4.6.3 F5 BIG-IP 4.6.2 F5 BIG-IP 4.6 F5 BIG-IP 4.5.12 F5 BIG-IP 4.5.11 F5 BIG-IP 4.5.10 F5 BIG-IP 4.5.9 F5 BIG-IP 4.5.6 F5 BIG-IP 4.5 F5 3-DNS 4.6.3 F5 3-DNS 4.6.2 F5 3-DNS 4.6 F5 3-DNS 4.5.12 F5 3-DNS 4.5.11 F5 3-DNS 4.5 Cisco VPN 5000 Concentrator Cisco PIX Firewall 6.3.3 (133) Cisco PIX Firewall 6.3.2 Cisco PIX Firewall 6.3.1 Cisco PIX Firewall 6.3 (3.109) Cisco PIX Firewall 6.3 (3.102) Cisco PIX Firewall 6.3 (1) Cisco PIX Firewall 6.3 Cisco PIX Firewall 6.2.3 (110) Cisco PIX Firewall 6.2.3 Cisco PIX Firewall 6.2.2 .111 Cisco PIX Firewall 6.2.2 Cisco PIX Firewall 6.2.1 Cisco PIX Firewall 6.2 (3.100) Cisco PIX Firewall 6.2 (3) Cisco PIX Firewall 6.2 (2) Cisco PIX Firewall 6.2 (1) Cisco PIX Firewall 6.2 Cisco ONS 15454 IOS-Based Blades Cisco ONS 15305 Cisco ONS 15302 Cisco MGX 8850 - PXM1 1.2.11 Cisco MGX 8850 - PXM1 1.2.10 Cisco MGX 8850 - PXM1 1.2.10 Cisco MGX 8850 Cisco MGX 8250 1.2.11 Cisco MGX 8250 1.2.10 Cisco MGX 8250 1.2.10 Cisco MDS 9000 2.0 (0.86) Cisco MDS 9000 1.3 (4a) Cisco MDS 9000 1.3 (3.33) Cisco MDS 9000 Cisco IP Phone 7970 Cisco IP Phone 7960 Cisco IP Phone 7940 Cisco IOS XR Cisco IOS 12.3YQ Cisco IOS 12.3YN Cisco IOS 12.3YK Cisco IOS 12.3YJ Cisco IOS 12.3YI Cisco IOS 12.3YH Cisco IOS 12.3YG Cisco IOS 12.3YF Cisco IOS 12.3YD Cisco IOS 12.3YA Cisco IOS 12.3XY Cisco IOS 12.3XX Cisco IOS 12.3XW Cisco IOS 12.3XU Cisco IOS 12.3XT Cisco IOS 12.3XS Cisco IOS 12.3XR Cisco IOS 12.3XQ Cisco IOS 12.3XM Cisco IOS 12.3XL Cisco IOS 12.3XK Cisco IOS 12.3XJ Cisco IOS 12.3XI Cisco IOS 12.3XH Cisco IOS 12.3XG Cisco IOS 12.3XF Cisco IOS 12.3XE Cisco IOS 12.3XD Cisco IOS 12.3XC Cisco IOS 12.3XB Cisco IOS 12.3XA Cisco IOS 12.3T Cisco IOS 12.3JA Cisco IOS 12.3BW Cisco IOS 12.3BC Cisco IOS 12.3B Cisco IOS 12.3 Cisco IOS 12.2ZP Cisco IOS 12.2ZN Cisco IOS 12.2ZL Cisco IOS 12.2ZK Cisco IOS 12.2ZJ Cisco IOS 12.2ZH Cisco IOS 12.2ZG Cisco IOS 12.2ZF Cisco IOS 12.2ZE Cisco IOS 12.2ZD Cisco IOS 12.2ZC Cisco IOS 12.2ZB Cisco IOS 12.2ZA Cisco IOS 12.2YZ Cisco IOS 12.2YY Cisco IOS 12.2YX Cisco IOS 12.2YW Cisco IOS 12.2YV Cisco IOS 12.2YU Cisco IOS 12.2YT Cisco IOS 12.2YR Cisco IOS 12.2YQ Cisco IOS 12.2YO Cisco IOS 12.2YN Cisco IOS 12.2YM Cisco IOS 12.2YL Cisco IOS 12.2YK Cisco IOS 12.2YJ Cisco IOS 12.2YH Cisco IOS 12.2YG Cisco IOS 12.2YF Cisco IOS 12.2YE Cisco IOS 12.2YD Cisco IOS 12.2YC Cisco IOS 12.2YB Cisco IOS 12.2YA Cisco IOS 12.2XW Cisco IOS 12.2XU Cisco IOS 12.2XT Cisco IOS 12.2XR Cisco IOS 12.2XQ Cisco IOS 12.2XN Cisco IOS 12.2XM Cisco IOS 12.2XL Cisco IOS 12.2XK Cisco IOS 12.2XJ Cisco IOS 12.2XI Cisco IOS 12.2XH Cisco IOS 12.2XG Cisco IOS 12.2XF Cisco IOS 12.2XE Cisco IOS 12.2XD Cisco IOS 12.2XC Cisco IOS 12.2XB Cisco IOS 12.2XA Cisco IOS 12.2T Cisco IOS 12.2SZ Cisco IOS 12.2SY Cisco IOS 12.2SXD Cisco IOS 12.2SXB Cisco IOS 12.2SXA Cisco IOS 12.2SX Cisco IOS 12.2SW Cisco IOS 12.2SV Cisco IOS 12.2SU Cisco IOS 12.2SO Cisco IOS 12.2SE Cisco IOS 12.2S Cisco IOS 12.2MC Cisco IOS 12.2MB Cisco IOS 12.2JK Cisco IOS 12.2JA Cisco IOS 12.2EY Cisco IOS 12.2EX Cisco IOS 12.2EWA Cisco IOS 12.2EW Cisco IOS 12.2EU Cisco IOS 12.2DX Cisco IOS 12.2DD Cisco IOS 12.2DA Cisco IOS 12.2CZ Cisco IOS 12.2CY Cisco IOS 12.2CX Cisco IOS 12.2BZ Cisco IOS 12.2BY Cisco IOS 12.2BW Cisco IOS 12.2BC Cisco IOS 12.2B Cisco IOS 12.2 Cisco IOS 12.1YJ Cisco IOS 12.1YI Cisco IOS 12.1YH Cisco IOS 12.1YF Cisco IOS 12.1YE Cisco IOS 12.1YD Cisco IOS 12.1YC Cisco IOS 12.1YB Cisco IOS 12.1YA Cisco IOS 12.1XV Cisco IOS 12.1XU Cisco IOS 12.1XT Cisco IOS 12.1XR Cisco IOS 12.1XQ Cisco IOS 12.1XP Cisco IOS 12.1XM Cisco IOS 12.1XL Cisco IOS 12.1XJ Cisco IOS 12.1XI Cisco IOS 12.1XH Cisco IOS 12.1XG Cisco IOS 12.1XF Cisco IOS 12.1XE Cisco IOS 12.1XD Cisco IOS 12.1XC Cisco IOS 12.1XB Cisco IOS 12.1XA Cisco IOS 12.1T Cisco IOS 12.1EY Cisco IOS 12.1EX Cisco IOS 12.1EW Cisco IOS 12.1EV Cisco IOS 12.1EU Cisco IOS 12.1EO Cisco IOS 12.1EC Cisco IOS 12.1EB Cisco IOS 12.1EA Cisco IOS 12.1E Cisco IOS 12.1DC Cisco IOS 12.1DB Cisco IOS 12.1DA Cisco IOS 12.1AZ Cisco IOS 12.1AX Cisco IOS 12.1AA Cisco IOS 12.1 Cisco IOS 12.0XV Cisco IOS 12.0XS Cisco IOS 12.0XR Cisco IOS 12.0XQ Cisco IOS 12.0XN Cisco IOS 12.0XM Cisco IOS 12.0XL Cisco IOS 12.0XK Cisco IOS 12.0XJ Cisco IOS 12.0XI Cisco IOS 12.0XH Cisco IOS 12.0XG Cisco IOS 12.0XF Cisco IOS 12.0XE Cisco IOS 12.0XD Cisco IOS 12.0XC Cisco IOS 12.0XB Cisco IOS 12.0XA Cisco IOS 12.0WC Cisco IOS 12.0W5 Cisco IOS 12.0T Cisco IOS 12.0SZ Cisco IOS 12.0SX Cisco IOS 12.0ST Cisco IOS 12.0SP Cisco IOS 12.0SL Cisco IOS 12.0SC Cisco IOS 12.0S Cisco IOS 12.0DC Cisco IOS 12.0DB Cisco IOS 12.0DA Cisco IOS 12.0 Cisco GSS 4490 Global Site Selector 0 Cisco GSS 4480 Global Site Selector Cisco CSS11500 Content Services Switch Cisco CSS11000 Content Services Switch Cisco CSM Cisco Catalyst 6624 Cisco Catalyst 6608 Cisco 6608 Blue Coat Systems Spyware Interceptor Blue Coat Systems SGOS 4.1.1 Blue Coat Systems SGOS 3.2.4 Blue Coat Systems SGOS 2.1.11 Blue Coat Systems SGME Blue Coat Systems CacheOS Avaya Modular Messaging (MAS) 3.0 ALAXALA Networks AX7800S ALAXALA Networks AX7800R ALAXALA Networks AX5400S

Not Vulnerable:	HP TOUR 3.0 + HP HP-UX 11i v2 + HP HP-UX 11i v1 F5 BIG-IP 9.0.5 F5 BIG-IP 9.0.4 F5 BIG-IP 9.0.3 F5 BIG-IP 9.0.2 F5 BIG-IP 9.0.1 F5 BIG-IP 9.0 Cisco Local Director 4.2 (6) Cisco Local Director 4.2 (5) Cisco Local Director 4.2 (4) Cisco Local Director 4.2 (3) Cisco Local Director 4.2 (2) Cisco Local Director 4.2 (1) Cisco Local Director Cisco IP Phone 7920 Cisco IP Phone 7905 Cisco IP Phone 7902 Cisco IOS 12.3(9a)BC2 Cisco IOS 12.3(8)YI Cisco IOS 12.3(8)YG1 Cisco IOS 12.3(8)XY4 Cisco IOS 12.3(8)T7 Cisco IOS 12.3(7)XI3 Cisco IOS 12.3(7)T8 Cisco IOS 12.3(6e) Cisco IOS 12.3(4)JA Cisco IOS 12.3(14)YQ Cisco IOS 12.3(14)T Cisco IOS 12.3(13) Cisco IOS 12.3(12) Cisco IOS 12.3(11)YN Cisco IOS 12.3(11)YK1 Cisco IOS 12.3(11)YF2 Cisco IOS 12.3(11)T4 Cisco IOS 12.3(10c) Cisco IOS 12.2(4)YA9 Cisco IOS 12.2(28) Cisco IOS 12.2(25)SEB Cisco IOS 12.2(25)S3 Cisco IOS 12.2(25)EY Cisco IOS 12.2(25)EWA Cisco IOS 12.2(20)S7 Cisco IOS 12.2(20)EU Cisco IOS 12.2(18)SXD4 Cisco IOS 12.2(18)S8 Cisco IOS 12.2(18)EW3 Cisco IOS 12.2(17d)SXB7 Cisco IOS 12.2(15)T15 Cisco IOS 12.2(15)BC2f Cisco IOS 12.2(14)S13 Cisco IOS 12.2(12)DA8 Cisco IOS 12.1(27) Cisco IOS 12.1(26)E1 Cisco IOS 12.1(22)EA4 Cisco IOS 12.0(30)S1 Cisco IOS 12.0(28c) Cisco IOS 12.0(28)W5(31a) Cisco IOS 12.0(25)W5(27c) Blue Coat Systems SGOS 4.1.2 Blue Coat Systems SGOS 3.2.5

Discussion

Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities

Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.

ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.

Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.

The following individual attacks are reported:

- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.

A remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.

- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.

A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.

- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.

A remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.

**Update: Microsoft platforms are also reported prone to these issues.

Exploit / POC

Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities

HOD-icmp-attacks-pos.c was provided by houseofdabus.

icmp-mtu.tar.gz, icmp-reset.tar.gz, and icmp-quench.tar.gz were provided by Fernando Gont <[email protected]>.

/data/vulnerabilities/exploits/HOD-icmp-attacks-poc.c
/data/vulnerabilities/exploits/icmp-mtu.tar.gz
/data/vulnerabilities/exploits/icmp-quench.tar.gz
/data/vulnerabilities/exploits/icmp-reset.tar.gz

Solution / Fix

Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities

Solution:
Please see the referenced advisories for information on obtaining and applying appropriate fixes.

Microsoft Windows Server 2003 Datacenter Edition SP1