Cisco Plugs ICMP Error Message Hole

Cisco has provided patches to thwart an ICMP-based attack (define) recently described in an IETF draft.

Published last December and entitled "ICMP attacks against TCP," the draft describes several ways in which a malicious user could use ICMP packets as part of a blind connection-reset attack, in which an attacker sends an ICMP error message to a TCP endpoint and forces it to reset its connection. Such an attack could be used to effect a denial of service.

According to an advisory posted by Cisco, all versions of its IOS operating system are vulnerable to the attack, but only when certain configuration options are enabled. Specifically, the company has warned that protocols using PMTUD, a protocol for dynamically discovering optimal MTU settings (define), are vulnerable to the attack.

The company has specifically mentioned routers that initiate TCP sessions over IPv4 (thought PMTUD is disabled by default for TCP), devices configured for IPv6 (though not if they're only forwarding IPv6 traffic), and IOS devices configured to use IPSec (which Cisco warned applies to any device with crypto map or tunnel protection enabled). Devices configured to use the Generic Routing Encapsulation (GRE) and IPinIP protocols, as well as those with Layer 2 Tunneling Protocol Versions 2 and 3 (L2TP and L2TPv3) enabled.

The company included a list of IOS-based non-router devices that are vulnerable to the attack, including members of the Catalyst and Aironet families. It also included several non-IOS devices: several VoIP products, some switches, and its VPN 5000 concentrator.

The company has provided links to updates and a matrix of effected products in the advisory.