SOL4583 - Insufficient validation of ICMP error messages - VU#222750 / CVE-2004-0790

This vulnerability describes the use of spoofed ICMP packets to affect existing TCP connections. An attacker could cause a TCP connection to be closed or slowed by interfering with the Path MTU Discovery process or by generating one of the following spoofed ICMP messages:

• Destination unreachable
• Protocol unreachable
• Port unreachable
• Fragmentation needed and DF bit set

BIG-IP

F5 Product Development has determined the BIG-IP management interface was affected by this vulnerability. F5 Product Development tracked this issue as CR47296, CR48262, and CR48313 and it was fixed in BIG-IP 9.1. To resolve this issue, upgrade to BIG-IP 9.1 or later. For information about upgrading, refer to the BIG-IP LTM release notes.

Additionally, security updates for versions 9.0.3, 9.0.4, and 9.0.5 that address the management interface vulnerability are available. Download the update, vu222750_cr47296, from the F5 Downloads site. For information about how to download software, refer to SOL167: Downloading software and firmware from F5.

F5 had initially determined that due to security enhancements made to the method in which BIG-IP handles ICMP, that the BIG-IP Local Traffic Manager was not vulnerable to exploitation of the issues described in VU#222750 / CVE-2004-0790.

However, it was later determined that fastl4 virtual servers are vulnerable. This issue was tracked as ID 356287 and it was fixed in BIG-IP 10.2.3 and in cumulative hotfix BIG-IP 10.2.2 HF2. For information about upgrading, refer to the BIG-IP LTM release notes.

FirePass

FirePass 5.0.0 and later are not vulnerable to the attacks described in VU#222750 / CVE-2004-0790.

In addition to validating source and destination ports and IP addresses, FirePass also validates TCP sequence numbers for TCP headers in an ICMP error packet’s payload.

FirePass will discard an ICMP packet if the packet does not contain a sequence number or if the packet contains sequence numbers that are not in the proper range for an existing TCP connection.

An attack, like the one described in VU#22750, which uses ICMP types such as ICMP Unreachables (type 3) or Source Quench (type 4), with payloads of TCP/IP headers that have only the correct IP address and TCP port pairs, will not prompt FirePass to terminate or slow existing connections.