As result of research work, Keyu Man reported that the ICMP rate limiter could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack). After considering what could be improved in kernel to prevent this, this patch suggested: https://github.com/torvalds/linux/commit/b38e7819cae946e2edf869e604
Described by Keyu Man: Attack Scenario: When a DNS resolver is resolving a domain name (e.g., www.google.com), it will send a query to the authoritative server (e.g., ns1.google.com) through UDP. While the resolver is waiting for the reply, an off-path attacker (i.e., he can’t sniff the packets flying between these two servers) can leverage this vulnerability to infer the ephemeral port of the outgoing query quickly and then send a malicious response (e.g., www.google.com A 1.2.3.4) to the resolver by impersonating the authoritative name server (i.e., using IP spoofing). The DNS resolver will then cache this malicious record and anyone querying the resolver thereafter will get the malicious response, causing their traffic to be hijacked by the attacker (e.g., all traffic to www.google.com will be directed to 1.2.3.4 which is controlled by the attacker). Root Cause: The core of this attack is the ability that an off-path attacker can infer the open ephemeral port on a Linux host quickly, which is enabled by ICMP global rate limit mechanism in Linux kernel. The fundamental issue is that a predictable global rate limit counter is shared by all traffic, including both attacker’s spoofed and real traffic.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1897656]
This issue was fixed for Fedora with the 5.8.17 stable kernel updates.
Mitigation: The mitigation is to disable ICMP destination unreachable messages. The commands to disable UDP port unreachable ICMP reply messages: iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP service iptables save For additional information about "service iptables save" please read https://access.redhat.com/solutions/1597703 It is not recommended to apply this rule if host being used as forwarder (router) of IP packets. Or it is possible to use this firewall-cmd instead of iptables and the result is similar: firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type destination-unreachable -j DROP
Statement: This issue is rated as having Moderate impact because of the attack scenario limitation. It is possible to harm the networking services only, but not for the overall system under attack, and impossible to get access to this remote system under attack.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0537 https://access.redhat.com/errata/RHSA-2021:0537
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0558 https://access.redhat.com/errata/RHSA-2021:0558
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25705
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0686 https://access.redhat.com/errata/RHSA-2021:0686
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0774 https://access.redhat.com/errata/RHSA-2021:0774
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0765 https://access.redhat.com/errata/RHSA-2021:0765
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:1531 https://access.redhat.com/errata/RHSA-2021:1531
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:2164 https://access.redhat.com/errata/RHSA-2021:2164
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:2355 https://access.redhat.com/errata/RHSA-2021:2355