---------------------------------------------- Security Bulletin September 3, 1997 Information gathering vulnerability in several host/router platforms. ---------------------------------------------- DESCRIPTION Many host platforms respond to icmp address mask requests (ICMP_MASKREQ, type 17), even when they should not respond to those requests. This permits an attacker to learn toplogical information about an internal network, and may permit an attacker to infer host OS information or behavior from the target network. Most hosts should not respond to queries of this type unless specifically configured to do so. However, this behavior appears to be the default behavior in a number of systems. Hosts which respond to icmp address mask requests without having been specifically configured to do so are in violation of RFC1122, the host requirements RFC, which states that: A system MUST NOT send an Address Mask Reply unless it is an authoritative agent for address masks. An authoritative agent may be a host or a gateway, but it MUST be explicitly configured as an address mask agent. ... (RFC 1122, section 3.2.2.9) IMPACT Outside machines may be able to gain knowledge about the internal network toplogy and machine types via an ICMP packet. This knowledge could prove useful for attackers attempting to launch a denial-of-service attack (the subnet mask can be used to determine the broadcast address for a network without trial and error, leading to a number of recently popular ICMP and UDP denial of service attacks), or for attackers attempting to determine where the trust relationships in a network lie. This is a relatively low-security concern for most sites, but the behavior exhibited by many platforms is aberrent and should be corrected. Sites which block ICMP_ECHO ("ping") requests should also block icmp address mask requests, since they may be used for much the same purposes as ping packets. AFFECTS A large number of systems are affected by this vulnerability. This list is not complete. Systems tested include: System Vulnerable User correctable? Patch? (as shipped) Operating Systems ------------------ FreeBSD-Current no net.inet.icmp.maskrepl FreeBSD-2.2.x no " FreeBSD-2.1.x no " Linux 1.x yes " Linux 2.x no SunOS yes Solaris 2.5.1 yes /dev/ip ip_respond_to_address_mask HPUX 9.05 yes HPUX 9.03 yes IRIX 5.3 yes Microsoft NT 4.0 yes Microsoft Windows 95 yes Mac - MacTCP no Mac - TCP/IP yes? Apple Internet Server yes REMEDY Block ICMP address mask requests at your router. This can be done on any router which allows icmp type filtering. On routers from Cisco systems, it can be blocked by inserting a rule such as: access-list 130 deny icmp any any mask-request SEE ALSO Braden, R. T., ed. RFC 1122, "Requirements for Internet Hosts -- Communication Layers" Mogul, J. and Postel, J., RFC 950, "Internet Standard Subnetting Procedure" (appendix I.) Baker, F., ed. RFC1812, "Requirements for IP Version 4 Routers"