Check Point Advisories

Multiple Vendor ICMP Connection Reset Denial of Service (CVE-2004-0790)

Check Point Reference: CPAI-2005-356
Date Published: 28 Feb 2010
Severity: Critical
Last Updated: Tuesday 30 April, 2013
Source:
Industry Reference:CVE-2004-0790
Protection Provided by:

Security Gateway
R77, R75
Who is Vulnerable?
Vulnerability Description The Internet Control Message Protocol (ICMP) is part of the Internet Protocol suite. ICMP facilitates error, control, and informational message exchange between network devices. For instance, ICMP may be used to test network connectivity between two hosts. There exists a vulnerability in multiple vendor's TCP/IP and Internet Control Message Protocol (ICMP) implementations. A spoofed ICMP message containing crafted fields can force the vulnerable system to reset TCP connection. A remote attacker can exploit this vulnerability to interrupt services or degrade the network performance of the target system. In order for an attack to be executed there must exist an open TCP connection between a pair of hosts. The attacker then has the option of attacking either one of the two connected hosts. The resulting behavior needs to be explored from both sides of the connection. Upon receiving the malicious packet from the attacker the vulnerable host will terminate the TCP connection, thereby destroying the socket used to maintain the connection. No announcement will be sent to the other host, the connected host. Therefore the connected host will remain unaware that the connection has been terminated. If the connected host was in the listening mode at the time of the attack it may remain in this mode indefinitely. Alternatively, if it tries to communicate with the vulnerable host, it will receive a TCP RST, since the vulnerable host has already closed the connection and destroyed the socket. Note: Systems using Sun Solaris will not abort an established connection upon receiving the spoofed ICMP error messages. The vendor reports that only a connection in a pre-established state can be interrupted and reset.

Protection Overview

This protection will detect and block attempts to exploit this vulnerability.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R77 / R75

  1. In the IPS tab, click Protections and find the Multiple Vendor ICMP Connection Reset Denial of Service protection using the Search tool and Edit the protection's settings.
  2. Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name:  ICMP Protocol Violation.

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK