CVE-2004-0790
published 2005-04-12CVE-2004-0790: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the…
PriorityP342medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
80.67%
99.6th percentile
Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x50\x00\x50\x23\x48\x4f\x44
- →Detect blind TCP connection-reset attack: look for spoofed ICMP Type 3 Code 2 (protocol unreachable) packets where the embedded IP/TCP header matches an existing TCP connection's 4-tuple (src IP, dst IP, src port, dst port). ↗
- →Detect ICMP Path MTU Discovery attack: look for spoofed ICMP Type 3 Code 4 (fragmentation needed, DF set) packets with a suspiciously low next-hop MTU value (e.g., 68 bytes) embedded in the unused field. ↗
- →Detect ICMP Source Quench attack (CAN-2004-0790): look for spoofed ICMP Type 4 Code 0 (Source Quench) packets referencing valid TCP connection 4-tuples to degrade throughput. ↗
- →The PoC uses a raw UDP socket (SOCK_RAW, IPPROTO_UDP) with IP_HDRINCL to craft and send malicious ICMP packets; monitor for raw socket creation combined with ICMP traffic targeting established TCP connections. ↗
- →The Windows IP options DoS PoC (MS05-019) sends a TCP SYN with an IP options field where the option size byte is set to 39 (maximum 40, with 2 already used); detect IP packets with a 60-byte IP header and malformed option size of 39. ↗
- ·The attack is effective because RFC specifications do not mandate security checks on ICMP error messages; any ICMP message with a valid source/destination IP and port pair matching an existing connection will be accepted, making spoofed ICMP inherently difficult to filter without stateful inspection. ↗
- ·CVE-2004-0790 (blind connection-reset), CVE-2004-0791 (Source Quench), and CVE-2004-1060 (PMTUD) are distinct attack vectors sharing the same underlying ICMP validation weakness; detections and mitigations must address all three attack types separately. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5c86-xw43-gw75: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages,
ghsa_unreviewed·2022-05-03·CVSS 5.0
CVE-2004-0790 [MEDIUM] GHSA-5c86-xw43-gw75: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages,
Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
GHSA
GHSA-8jw3-72q3-6378: Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network t
ghsa_unreviewed·2022-05-03·CVSS 5.0
CVE-2004-1060 [MEDIUM] GHSA-8jw3-72q3-6378: Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network t
Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
GHSA
GHSA-fqvv-84gm-c2c5: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a
ghsa_unreviewed·2022-05-03·CVSS 5.0
CVE-2004-0791 [MEDIUM] GHSA-fqvv-84gm-c2c5: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a
Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
GHSA
GHSA-whr2-cjwc-wj5g: The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2005-0065 [MEDIUM] GHSA-whr2-cjwc-wj5g: The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that
The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 ar
GHSA
GHSA-rhmh-v4vm-7q2m: The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2005-0068 [MEDIUM] GHSA-rhmh-v4vm-7q2m: The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP
The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerabilit
GHSA
GHSA-626v-45vc-q94p: The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2005-0067 [MEDIUM] GHSA-626v-45vc-q94p: The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to
The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on v
GHSA
GHSA-4v46-4mj5-q2x2: The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within t
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2005-0066 [MEDIUM] GHSA-4v46-4mj5-q2x2: The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within t
The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-20
Red Hat
security flaw
vendor_redhat·2005-04-12·CVSS 5.0
CVE-2004-0791 [MEDIUM] security flaw
security flaw
Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
No detection rules found.
Exploit-DB
Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service (MS05-019)
exploitdb·2005-04-20
CVE-2004-0790 Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service (MS05-019)
Multiple OS (Win32/Aix/Cisco) - Crafted ICMP Messages Denial of Service (MS05-019)
---
/* HOD-icmp-attacks-poc.c: 2005-04-15: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-019) (CISCO:20050412)
* ICMP attacks against TCP (Proof-of-Concept)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* [ for more details:
* [ http://www.livejournal.com/users/houseofdabus
* ---------------------------------------------------------------------
* Systems Affected:
* - Cisco Content Services Switch 11000 Series (WebNS)
* - Cisco Global Site Selector (GSS) 4480 1.x
* - Cisco IOS 10.x
* - Cisco IOS 11.x
* - Cisco IOS 12.x
* - Cisco IOS R11.x
* - Cisco IOS R12.x
* - Cisco IOS XR (CRS-1) 3.x
* - Cisco ONS 15000 Series
* - Cisco PIX 6.x
* - Cisco SAN-OS 1.x (MDS 9000 Switches)
* - AIX 5.x
* - Windows S
Exploit-DB
Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)
exploitdb·2005-04-17
CVE-2005-0688 Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)
Microsoft Windows - Malformed IP Options Denial of Service (MS05-019)
---
/* ecl-winipdos.c - 16/04/05
* Yuri Gushin
* Alex Behar
*
* This one was actually interesting, an off-by-one by our beloved
* M$ :)
*
* When processing an IP packet with an option size (2nd byte after
* the option) of 39, it will crash - since the maximum available
* size is 40 for the whole IP options field, and two are already used:
* [ OPT ] [ SIZE ] [ 38 more bytes ]
* Checks are done to validate that the option-size field is less than
* 40, where a value less than !39! should be checked for validation.
*
* Note that this doesn't affect ALL options, and is also dependant upon
* the underlying protocol.
* Anyways, a small PoC to see how it works and why, tweak test and
* explore, have fun :)
*
*
* Greets fly out
Exploit-DB
Multiple Vendor ICMP Message Handling - Denial of Service
exploitdb·2005-04-12
CVE-2004-0790 Multiple Vendor ICMP Message Handling - Denial of Service
Multiple Vendor ICMP Message Handling - Denial of Service
---
source: https://www.securityfocus.com/bid/13124/info
Multiple vendor implementations of TCP/IP Internet Control Message Protocol (ICMP) are reported prone to several denial-of-service attacks.
ICMP is employed by network nodes to determine certain automatic actions to take based on network failures reported by an ICMP message.
Reportedly, the RFC doesn't recommend security checks for ICMP error messages. As long as an ICMP message contains a valid source and destination IP address and port pair, it will be accepted for an associated connection.
The following individual attacks are reported:
- A blind connection-reset attack. This attack takes advantage of the specification that describes that on receiving a 'hard' ICMP er
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.4/SCOSA-2006.4.txthttp://marc.info/?l=bugtraq&m=112861397904255&w=2http://secunia.com/advisories/18317http://secunia.com/advisories/22341http://securityreason.com/securityalert/19http://securityreason.com/securityalert/57http://sunsolve.sun.com/search/document.do?assetkey=1-26-101658-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-57746-1http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.htmlhttp://www.securityfocus.com/archive/1/418882/100/0/threadedhttp://www.securityfocus.com/archive/1/449179/100/0/threadedhttp://www.securityfocus.com/bid/13124http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=enhttp://www.vupen.com/english/advisories/2006/3983http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txthttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-019https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-064https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1177https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A176https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1910https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A211https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3458https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A412https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4804https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A514https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A53https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A622ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2006.4/SCOSA-2006.4.txthttp://marc.info/?l=bugtraq&m=112861397904255&w=2http://secunia.com/advisories/18317http://secunia.com/advisories/22341http://securityreason.com/securityalert/19http://securityreason.com/securityalert/57http://sunsolve.sun.com/search/document.do?assetkey=1-26-101658-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-57746-1http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.htmlhttp://www.securityfocus.com/archive/1/418882/100/0/threadedhttp://www.securityfocus.com/archive/1/449179/100/0/threadedhttp://www.securityfocus.com/bid/13124http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=enhttp://www.vupen.com/english/advisories/2006/3983http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txthttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-019https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-064https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1177https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A176https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1910https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A211https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3458https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A412https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4804https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A514https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A53https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A622
2005-04-12
Published