SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionThe vulnerability described in this article was initially fixed in earlier versions, but a regression was reintroduced in BIG-IP 12.x through13.x. For information about earlier versions, refer toK4583:
Insufficient validation of ICMP error messages - VU#222750 / CVE-2004-0790(9.x - 10.x).
Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the 'blind connection-reset attack.' NOTE:
CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. (CVE-2004-0790)
A remote attacker can interfere with the Path MTU Discovery process and cause a performance degradation or reset of FastL4 accelerated TCP connections by spoofing a specifically craftedInternet Control Message Protocol (ICMP) message.
This vulnerability only applies to FastL4 virtual servers on BIG-IP platforms with the embedded Packet Velocity Acceleration (ePVA) chip.The ePVA chip is a hardware acceleration Field Programmable Gate Array (FPGA) that delivers high-performance Layer 4 (L4) IPv4 throughput. ePVA chips are included on the following BIG-IP platforms :
B2100 Blade in the VIPRION C2400 or C2200 Chassis
B2150 Blade in the VIPRION C2400 or C2200 Chassis
B2250 Blade in the VIPRION C2400 or C2200 Chassis
B4300 Blade in the VIPRION C4480 or C4800 Chassis
B4340 Blade in the VIPRION C4480 or C4800 Chassis
BIG-IP 12000 series
BIG-IP 10000 series
BIG-IP 7000 series
BIG-IP 5000 series
BIG-IP i5000 series
BIG-IP i7000 series
BIG-IP i10000 series
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K23440942.