Bugzilla – Bug 351997
VUL-0: CVE-1999-0524: kernel: "unsecure" ICMP replies
Last modified: 2019-05-08 15:01:10 UTC
(this is just a tracker bug for this issue, so it can be found again) CVE-1999-0524 ICMP information such as (1) netmask and (2) timestamp is allowed from arbitrary hosts. The CVE discussion has: Frech> XF:icmp-timestamp XF:icmp-netmask Meunier> If this is not merged with 1999-0523 as I commented for that CVE, then the description should be changed to "ICMP messages of types 13 and 14 (timestamp request and reply) and 17 and 18 (netmask request and reply) are acted upon without any access control". It's a more precise and correct language. I believe that this is a valid CVE entry (it's a common source of vulnerabilities or exposures) even though I see that the inferred action was "reject". Knowing the time of a host also allows attacks against random number generators that are seeded with the current time. I want to push to have it accepted. Baker> I agree with the description changes suggested by Pascal
The only issue I see here is disclosure of potential sensitive data. - Those ICMPs types are filtered in products with SUSEfirewall enabled. - The risk of cryptographic timing infomration disclosure is very small, since it is usually not using timestamps but with other entropy sources. The netmask ... is really of no use to an attacker I guess.
mainline git: 13 and 14: [ICMP_TIMESTAMP] = { .handler = icmp_timestamp, }, [ICMP_TIMESTAMPREPLY] = { .handler = icmp_discard, }, 17 and 18: [ICMP_ADDRESS] = { .handler = icmp_discard, }, [ICMP_ADDRESSREPLY] = { .handler = icmp_discard, }, So all but timestamp are blocked in mainline now. icmp_address is blocked since begin of GIT (2.6.12) icmp_address_reply is acted upon by just a local warning, until 3.6 where it is just discarded. icmp_timestamp_reply is also discarded since begin of git. Only icmp_timestamp is replied, it can be filtered by firewall.