Lucene search

K
redhatcveRedhat.comRH:CVE-2020-25705
HistoryDec 09, 2020 - 4:45 p.m.

CVE-2020-25705

2020-12-0916:45:11
redhat.com
access.redhat.com
57

0.003 Low

EPSS

Percentile

69.6%

A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

Mitigation

The mitigation is to disable ICMP destination unreachable messages.

The commands to disable UDP port unreachable ICMP reply messages:

iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
service iptables save

For additional information about "service iptables save" please read <https://access.redhat.com/solutions/1597703&gt;
It is not recommended to apply this rule if host being used as forwarder (router) of IP packets.

Or it is possible to use this firewall-cmd instead of iptables and the result is similar:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type destination-unreachable -j DROP