F5 Networks BIG-IP : Insufficient validation of ICMP error messages (K23440942)

Critical Nessus Plugin ID 100000

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

The vulnerability described in this article was initially fixed in earlier versions, but a regression was reintroduced in BIG-IP 12.x through13.x. For information about earlier versions, refer toK4583:
Insufficient validation of ICMP error messages - VU#222750 / CVE-2004-0790(9.x - 10.x).

Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the 'blind connection-reset attack.' NOTE:
CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. (CVE-2004-0790)

Impact

A remote attacker can interfere with the Path MTU Discovery process and cause a performance degradation or reset of FastL4 accelerated TCP connections by spoofing a specifically craftedInternet Control Message Protocol (ICMP) message.

This vulnerability only applies to FastL4 virtual servers on BIG-IP platforms with the embedded Packet Velocity Acceleration (ePVA) chip.The ePVA chip is a hardware acceleration Field Programmable Gate Array (FPGA) that delivers high-performance Layer 4 (L4) IPv4 throughput. ePVA chips are included on the following BIG-IP platforms :

B2100 Blade in the VIPRION C2400 or C2200 Chassis

B2150 Blade in the VIPRION C2400 or C2200 Chassis

B2250 Blade in the VIPRION C2400 or C2200 Chassis

B4300 Blade in the VIPRION C4480 or C4800 Chassis

B4340 Blade in the VIPRION C4480 or C4800 Chassis

BIG-IP 12000 series

BIG-IP 10000 series

BIG-IP 7000 series

BIG-IP 5000 series

BIG-IP i5000 series

BIG-IP i7000 series

BIG-IP i10000 series

Solution

Upgrade to one of the non-vulnerable versions listed in the F5 Solution K23440942.

See Also

https://support.f5.com/csp/article/K23440942

https://support.f5.com/csp/article/K4583

Plugin Details

Severity: Critical

ID: 100000

File Name: f5_bigip_SOL23440942.nasl

Version: 3.6

Type: local

Published: 2017/05/08

Updated: 2019/05/09

Dependencies: 76940

Configuration: Enable paranoid mode

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:f5:big-ip_access_policy_manager, cpe:/a:f5:big-ip_advanced_firewall_manager, cpe:/a:f5:big-ip_application_acceleration_manager, cpe:/a:f5:big-ip_application_security_manager, cpe:/a:f5:big-ip_application_visibility_and_reporting, cpe:/a:f5:big-ip_link_controller, cpe:/a:f5:big-ip_local_traffic_manager, cpe:/a:f5:big-ip_policy_enforcement_manager, cpe:/h:f5:big-ip

Required KB Items: Host/local_checks_enabled, Host/BIG-IP/hotfix, Host/BIG-IP/modules, Host/BIG-IP/version, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2017/05/05

Vulnerability Publication Date: 2004/04/12

Reference Information

CVE: CVE-2004-0790, CVE-2004-0791, CVE-2004-1060, CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, CVE-2005-0068

BID: 13124