Vulnerability Name:

CVE-2005-0065 (CCN-17170)

Assigned:2004-09-01
Published:2004-09-01
Updated:2008-09-05
Summary:The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced.
Note: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Denial of Service
References:Source: CCN
Type: BugTraq Mailing List, Thu May 26 2005 - 12:08:50 CDT
[security bulletin] SSRT4884 rev.0 - HP-UX TCP/IP Remote Denial of Service (DoS)

Source: MITRE
Type: CNA
CVE-2004-0790

Source: MITRE
Type: CNA
CVE-2005-0065

Source: MITRE
Type: CNA
CVE-2005-0066

Source: MITRE
Type: CNA
CVE-2005-0067

Source: MITRE
Type: CNA
CVE-2005-0068

Source: CCN
Type: BlueCoat Download Web page
ProxySG Secure Proxy Appliance

Source: CCN
Type: NetApp Web site
NetApp On the Web

Source: CCN
Type: SA18317
SCO OpenServer ICMP Message Handling Denial of Service

Source: CCN
Type: SA22341
Microsoft Windows Multiple IPv6 Denial of Service Vulnerabilities

Source: CCN
Type: ASA-2006-217
Windows Security Updates for October 2006 - (MS06-056 - MS06-065)

Source: CCN
Type: Blue Coat Security Advisory July 19, 2005
Security Advisory: ICMP Error Message Vulnerabilities

Source: CCN
Type: CIAC INFORMATION BULLETIN P-177
Vulnerabilities in TCP-IP (893066)

Source: CCN
Type: CIAC INFORMATION BULLETIN P-181
Cisco Products Vulnerable to DoS via Crafted ICMP Messages

Source: CCN
Type: Cisco Web site
Cisco IP Phone 7970G Release Notes for Firmware Release 6.0(1) SR1 for Cisco CallManager Versions 3.3 and 4.0

Source: CCN
Type: Cisco Security Advisory 2005 April 12 1200 UTC (GMT)
Crafted ICMP Messages Can Cause Denial of Service

Source: CCN
Type: Gont's Web site
ICMP attacks against TCP

Source: MISC
Type: UNKNOWN
http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html

Source: CCN
Type: US-CERT VU#222750
TCP/IP implementations do not adequately validate ICMP error messages

Source: CCN
Type: Microsoft Security Bulletin MS05-019
Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066)

Source: CCN
Type: Microsoft Security Bulletin MS06-032
Vulnerability in TCP/IP Could Allow Remote Code Execution (917953)

Source: CCN
Type: Microsoft Security Bulletin MS06-064
Vulnerabilities in TCP/IP IPv6 Could Allow Denial of Service (922819)

Source: CCN
Type: Microsoft Security Bulletin MS08-001
Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644)

Source: CCN
Type: Microsoft Security Bulletin MS08-004
Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)

Source: CCN
Type: OpenBSD 3.4 errata Web site
027: RELIABILITY FIX: August 25, 2004

Source: CCN
Type: OSVDB ID: 15620
Multiple Vendor TCP Implementation Malformed Sequence Number Range Issue

Source: CCN
Type: OSVDB ID: 15621
Multiple Vendor TCP Implementation Acknowledgement Number Checking Issue

Source: CCN
Type: OSVDB ID: 15622
Multiple Vendor TCP Implementation Port Randomization Weakness

Source: CCN
Type: OSVDB ID: 15623
Multiple Vendor ICMP Implementation Host-generated ICMP Error Message Authentication Weakness

Source: BID
Type: UNKNOWN
13124

Source: CCN
Type: BID-13124
Multiple Vendor TCP/IP Implementation ICMP Remote Denial Of Service Vulnerabilities

Source: CCN
Type: Hewlett-Packard Company Web site
IT Resource Center - login / register

Source: CCN
Type: Internet-Draft of ICMP attacks
ICMP attacks against TCP draft-gont-tcpm-icmp-attacks-03.txt

Source: XF
Type: UNKNOWN
icmp-protocol-unreachable-tcp(17170)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:tcp:tcp:*:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:accelatech:bizsearch:3.2:-:*:*:*:linux_kernel:*:*
  • OR cpe:/o:compaq:tru64:4.0f:*:*:*:*:*:*:*
  • OR cpe:/o:compaq:tru64:4.0g:*:*:*:*:*:*:*
  • OR cpe:/o:compaq:tru64:5.1a:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:ip_phone_7960:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:-:sp3:*:*:*:*:*:*
  • OR cpe:/o:hp:hp-ux:b.11.00:*:*:*:*:*:*:*
  • OR cpe:/o:hp:hp-ux:b.11.11:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:openbsd:openbsd:3.4:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:*:*:*:*:*:*:*:*
  • OR cpe:/o:windriver:vxworks:5:*:*:*:*:*:*:*
  • OR cpe:/o:hp:hp-ux:b.11.23:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:ip_phone_7940:*:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:catalyst_6608:*:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:catalyst_6624:*:*:*:*:*:*:*:*
  • OR cpe:/o:cisco:ios_xr:*:*:*:*:*:*:*:*
  • OR cpe:/a:bluecoat:director:5.4:*:*:*:*:*:*:*
  • OR cpe:/h:juniper:junos:-:*:*:*:*:*:*:*
  • OR cpe:/o:bluecoat:cacheos:-:*:*:*:*:*:*:*
  • AND
  • cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_7:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8:*:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    tcp tcp *
    accelatech bizsearch 3.2 -
    compaq tru64 4.0f
    compaq tru64 4.0g
    compaq tru64 5.1a
    microsoft windows xp
    cisco ip phone 7960 *
    microsoft windows 2000 - sp3
    hp hp-ux b.11.00
    hp hp-ux b.11.11
    microsoft windows 2000 - sp4
    openbsd openbsd 3.4
    microsoft windows 2003 server *
    windriver vxworks 5
    hp hp-ux b.11.23
    cisco ip phone 7940 *
    cisco catalyst 6608 *
    cisco catalyst 6624 *
    cisco ios xr *
    bluecoat director 5.4
    juniper junos -
    bluecoat cacheos -
    microsoft windows vista *
    microsoft windows 7 *
    microsoft windows server 2008 *
    microsoft windows server 2008 - r2
    microsoft windows server 2012
    microsoft windows 8 *