CVE - CVE-2001-0323

CVE-ID
CVE-2001-0323	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The ICMP path MTU (PMTU) discovery feature in various UNIX systems allows remote attackers to cause a denial of service by spoofing "ICMP Fragmentation needed but Don't Fragment (DF) set" packets between two target hosts, which could cause one host to lower its MTU when transmitting to the other host.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20010115 ICMP fragmentation required but DF set problems. URL:http://marc.info/?l=bugtraq&m=97958349623450&w=2 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html MANDRIVA:MDVSA-2013:150 URL:~~http://www.mandriva.com/security/advisories?name=MDVSA-2013:150~~ (Obsolete source) XF:icmp-pmtu-dos(5975) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/5975
Assigning CNA
MITRE Corporation
Date Record Created
20010404	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (20131008)
Votes (Legacy)
ACCEPT(2) Frech, Meunier NOOP(4) Christey, Cole, Wall, Ziese REVIEWING(1) Bishop
Comments (Legacy)
Christey> (prompted from Pascal Meunier) should this be treated as a general design issue with ICMP? Or is it a specific implementation flaw that only affects Reliant? Meunier> It seems obvious that if one sets the MTU to just one byte above the size of a IP header (let's say 21 bytes), data transmission is not going to go anywhere fast, as the overhead will be 20 times the payload... As I said for another candidate, ICMP messages should not be acted upon without access control. I'm not sure that references to UNIX should be kept. It seems that this should work with any OS. It would be nasty if some OSes accepted an MTU of 20, as you could not transmit any IP data.
Proposed (Legacy)
20010404
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)