Re: [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP

From: Florian Westphal
Date: Tue May 21 2024 - 05:26:18 EST

Next message: Oscar Salvador: "Re: [RFC PATCH v2 06/20] powerpc/8xx: Fix size given to set_huge_pte_at()"
Previous message: Gia: "Re: [REGRESSION][BISECTED] "xHCI host controller not responding, assume dead" on stable kernel > 6.8.7"
In reply to: Paolo Abeni: "Re: [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ye.xingchen@xxxxxxxxxx <ye.xingchen@xxxxxxxxxx> wrote:
> From: YeXingchen <ye.xingchen@xxxxxxxxxx>
>
> The CVE-1999-0524 vulnerability is associated with ICMP
> timestamp messages, which can be exploited to conduct
> a denial-of-service (DoS) attack. In the Vulnerability
> Priority Rating (VPR) system, this vulnerability was
> rated as a medium risk in May of this year.
> Link:https://www.tenable.com/plugins/nessus/10113

Please explain at least one scenario where this is a problem.

AFAICS there is none and Linux is not affected by this.

> To protect embedded systems that cannot run firewalls
> from attacks exploiting the CVE-1999-0524 vulnerability,
> the icmp_timestamp_ignore_all sysctl is offered as

If there is an actual problem, then this should be on by default
or the entire feature should be removed.

But I don't think there is a problem in the first place.

Next message: Oscar Salvador: "Re: [RFC PATCH v2 06/20] powerpc/8xx: Fix size given to set_huge_pte_at()"
Previous message: Gia: "Re: [REGRESSION][BISECTED] "xHCI host controller not responding, assume dead" on stable kernel > 6.8.7"
In reply to: Paolo Abeni: "Re: [PATCH net-next v2] icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]