cbcvebase.
CVE-2004-0790
published 2005-04-12

CVE-2004-0790: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the…

PriorityP342medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
80.67%
99.6th percentile
Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
sunsolaris
sunsolaris
sunsunos
sunsunos

Detection & IOCsextracted from sources · hover to see the quote

commandHOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:1
commandHOD-icmp.exe -fi:serverIP -ti:clientIP -fp:80 -tp:1023 -a:2
commandHOD-icmp.exe -fi:routerIP2 -ti:routerIP1 -fp:179 -a:1
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/25389.tar.gz
filenameHOD-icmp-attacks-poc.c
filenameecl-winipdos.c
bytes
\x00\x50\x00\x50\x23\x48\x4f\x44
  • Detect blind TCP connection-reset attack: look for spoofed ICMP Type 3 Code 2 (protocol unreachable) packets where the embedded IP/TCP header matches an existing TCP connection's 4-tuple (src IP, dst IP, src port, dst port).
  • Detect ICMP Path MTU Discovery attack: look for spoofed ICMP Type 3 Code 4 (fragmentation needed, DF set) packets with a suspiciously low next-hop MTU value (e.g., 68 bytes) embedded in the unused field.
  • Detect ICMP Source Quench attack (CAN-2004-0790): look for spoofed ICMP Type 4 Code 0 (Source Quench) packets referencing valid TCP connection 4-tuples to degrade throughput.
  • The PoC uses a raw UDP socket (SOCK_RAW, IPPROTO_UDP) with IP_HDRINCL to craft and send malicious ICMP packets; monitor for raw socket creation combined with ICMP traffic targeting established TCP connections.
  • The Windows IP options DoS PoC (MS05-019) sends a TCP SYN with an IP options field where the option size byte is set to 39 (maximum 40, with 2 already used); detect IP packets with a 60-byte IP header and malformed option size of 39.
  • ·The attack is effective because RFC specifications do not mandate security checks on ICMP error messages; any ICMP message with a valid source/destination IP and port pair matching an existing connection will be accepted, making spoofed ICMP inherently difficult to filter without stateful inspection.
  • ·CVE-2004-0790 (blind connection-reset), CVE-2004-0791 (Source Quench), and CVE-2004-1060 (PMTUD) are distinct attack vectors sharing the same underlying ICMP validation weakness; detections and mitigations must address all three attack types separately.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.