CVE-ID

CVE-1999-0523

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
ICMP echo (ping) is allowed from arbitrary hosts.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (19990726)
Votes (Legacy)
MODIFY(1) Meunier
NOOP(1) Baker
REJECT(2) Frech, Northcutt
Comments (Legacy)
 Northcutt> (Though I sympathize with this one :)
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> Ping is a utility that can be run on demand; ICMP echo is a
   message 
   type. As currently worded, this candidate seems as if an arbitrary
   host 
   is vulnerable because it is capable of running an arbitrary program
   or
   function (in this case, ping/ICMP echo). There are many
   programs/functions that 
   'shouldn't' be on a computer, from a security admin's perspective.
   Even if this
   were a vulnerability, it would be impacted by CD-HIGHCARD.
 Meunier> Every ICMP message type presents a vulnerability or an
   exposure, if access is not controlled.  By that I mean not only those
   in RFC 792, but also those in RFC 1256, 950, and more.  I think that
   the description should be changed to "ICMP messages are acted upon
   without any access control".  ICMP is an error and debugging protocol.
   We complain about vendors leaving testing backdoors in their programs.
   ICMP is the equivalent for TCP/IP.  ICMP should be in the dog house,
   unless you are trying to troubleshoot something.  MTU discovery is
   just a performance tweak -- it's not necessary.  I don't know of any
   ICMP message type that is necessary if the network is functional.
   Limited logging of ICMP messages could be useful, but acting upon them
   and allowing the modification of routing tables, the behavior of the
   TCP/IP stack, etc... without any form of authentication is just crazy.

Proposed (Legacy)
19990726
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.