A flaw in the processing of the received ICMP errors (ICMP fragment needed and ICMP redirect) in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization.
This flaw is similar to the previous CVE-2020-25705 (both DNS poisoning attack based on ICMP replies for open ports scanning, but other type of ICMP packets).
As result of research work, Keyu Man reported that the IP fragments (fragmented PING echo reply) could be used by attackers to get useful signal (that for example could be used for the DNS poisoning attack).
After considering what could be improved in kernel to prevent this, there two suggested ways:
I. The most direct way is to use the socket option IP_PMTUDISC_OMIT, which instructs the OS not to accept the ICMP frag needed messages and therefore eliminates the side channel related processing in the kernel;
II. Randomize the caching structure:
(1) the max length of the linked list used for solving hash collisions (currently 5),
(2) the eviction policy (currently the oldest will always be evicted),
(3) the secret of hash function, i.e., we can re-key periodically (every few seconds or tens of seconds).
Reference (for IPv6 and IPv4 patch respectively):
git commit 4785305c05b25a242e5314cc821f54ade4c18810 (plus a00df2caffed3883c341d5685f830434312e4a43)
and 6457378fe796815c973f631a1904e147d6ee33b1 (plus 67d6d681e15b578c1725bad8ad079e05d1c48a8e).
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 2015075]
No reproducer exists at this time.
This was fixed for Fedora with the 5.13.17 stable kernel updates.