CERT Warns of Widespread ICMP Vulnerability

A note from CERT warns that network admins concerned about preventing a TCP-based DoS attack should tend their patches and consider tighter filters on ICMP packets.

By Michael Hall | Posted Apr 15, 2005
Page of   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

A note sent out by US CERT says a flaw in TCP affects a wide array of implementations and warns network admins to mind their patches and consider filtering specific packet types to head off denial of service attacks.

On Wednesday, EnterpriseNetworkingPlanet reported that Cisco had patched IOS to correct a flaw in the way its TCP implementation deals with ICMP packets.

According to the company, IOS was vulnerable to what's referred to as a "blind connection-reset attack," in which an attacker sends an ICMP error message to a TCP endpoint and forces it to reset its connection. The company warned that such an attack, outlined in an IETF draft in late 2004, could be used to effect a denial of service.

Since Cisco's announcement, several other companies have announced patches to correct the same vulnerability, including Juniper, IBM, and Microsoft.

CERT's vulnerability note indicates that the vulnerability might be lurking in quite a few other implementations of TCP. In a list of 80 hardware and software vendors, CERT identifies lists 11 as definitely vulnerable, including Microsoft, Red Hat, Sun Microsystems, and SCO. It reports 12 on its list as "not vulnerable," leaving the balance of the list, a total of 61 companies and organizations, as "unknown."

The organization said it's especially concerned about the Border Gateway Protocol (BGP) (define), "since it relies on long-lived TCP connections, uses well-known source and destination ports, provides critical network and Internet routing information, and may require a non-trivial period of time to recover from a sustained attack."

CERT recommended that network administrators both insure that their systems are up-to-date on security patches, and that the concerned admin should "filter ICMP messages based on type and code at network borders. Allow only ICMP messages that are necessary for proper operation."

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter