1. history



Linux カーネルの機能において、
受信した ICMP エラー(ICMP fragment needed および ICMP redirect)の処理に欠陥があり、
開いている UDP ポートをすばやくスキャンできてしまう。


"fixed for Fedora with the 5.13.17 stable kernel updates."

1. history

The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well.

Alex 2021-10-14 16:40:33 UTC

A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization.

This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets).

As result of research work, Keyu Man reported that the IP fragments (fragmented PING echo reply) could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).

After considering what could be improved in kernel to prevent this, there two suggested ways:

I. The most direct way is to use the socket option IP_PMTUDISC_OMIT, which instructs the OS not to accept the ICMP frag needed messages and therefore eliminates the side channel related processing in the kernel;

II. Randomize the caching structure:
(1) the max length of the linked list used for solving hash collisions (currently 5),
(2) the eviction policy (currently the oldest will always be evicted),
(3) the secret of hash function, i.e., we can re-key periodically (every few seconds or tens of seconds).

closed port も pingには返事をするのか。つまり「MTUの変更ができたら、openだと判定する。」

CategoryDns CategoryWatch CategoryTemplate

Moin2Qmail: security/CVE-2021-20322 (last edited 2021-11-25 05:16:52 by ToshinoriMaeno)