• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
ICMP echo (ping) is allowed from arbitrary hosts.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Record Created
19990607 Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (19990726)
Votes (Legacy)
MODIFY(1) Meunier
NOOP(1) Baker
REJECT(2) Frech, Northcutt
Comments (Legacy)
 Northcutt> (Though I sympathize with this one :)
 CHANGE> [Frech changed vote from REVIEWING to REJECT]
 Frech> Ping is a utility that can be run on demand; ICMP echo is a
   type. As currently worded, this candidate seems as if an arbitrary
   is vulnerable because it is capable of running an arbitrary program
   function (in this case, ping/ICMP echo). There are many
   programs/functions that 
   'shouldn't' be on a computer, from a security admin's perspective.
   Even if this
   were a vulnerability, it would be impacted by CD-HIGHCARD.
 Meunier> Every ICMP message type presents a vulnerability or an
   exposure, if access is not controlled.  By that I mean not only those
   in RFC 792, but also those in RFC 1256, 950, and more.  I think that
   the description should be changed to "ICMP messages are acted upon
   without any access control".  ICMP is an error and debugging protocol.
   We complain about vendors leaving testing backdoors in their programs.
   ICMP is the equivalent for TCP/IP.  ICMP should be in the dog house,
   unless you are trying to troubleshoot something.  MTU discovery is
   just a performance tweak -- it's not necessary.  I don't know of any
   ICMP message type that is necessary if the network is functional.
   Limited logging of ICMP messages could be useful, but acting upon them
   and allowing the modification of routing tables, the behavior of the
   TCP/IP stack, etc... without any form of authentication is just crazy.

Proposed (Legacy)
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.