CVE-2009-0778 in Linux
Summary
by MITRE
The icmp_send function in net/ipv4/icmp.c in the Linux kernel before 2.6.25, when configured as a router with a REJECT route, does not properly manage the Protocol Independent Destination Cache (aka DST) in some situations involving transmission of an ICMP Host Unreachable message, which allows remote attackers to cause a denial of service (connectivity outage) by sending a large series of packets to many destination IP addresses within this REJECT route, related to an "rt_cache leak."
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/30/2019
The vulnerability described in CVE-2009-0778 represents a critical flaw in the Linux kernel's handling of ICMP messages within routing contexts, specifically affecting versions prior to 2.6.25. This issue manifests when a Linux system operates as a router with REJECT routes configured, creating a scenario where the kernel's Protocol Independent Destination Cache management becomes compromised. The vulnerability stems from improper handling of the routing cache during ICMP Host Unreachable message transmission, leading to a resource exhaustion condition that ultimately results in complete connectivity disruption for affected network segments.
The technical root cause lies within the icmp_send function located in net/ipv4/icmp.c, where the kernel fails to properly clean up or manage the destination cache entries when processing packets that would trigger ICMP Host Unreachable responses. This flaw creates a memory leak in the routing cache structure, specifically related to the rt_cache mechanism that tracks routing information for network destinations. When a router configured with REJECT routes receives a flood of packets destined for addresses within the rejected network range, each packet triggers an ICMP Host Unreachable message, but the corresponding cache entries are not properly released, causing gradual accumulation of stale routing entries.
The operational impact of this vulnerability is severe and directly translates to a denial of service condition that can completely disrupt network connectivity for the affected routing domain. Attackers can exploit this weakness by sending a large volume of packets to numerous destination IP addresses within the REJECT route range, causing the routing cache to fill up with stale entries until the system runs out of memory or routing table capacity. This results in complete network outage for legitimate traffic attempting to reach those destinations, effectively rendering the router incapable of forwarding legitimate packets while maintaining the false impression that the network is functioning normally.
This vulnerability maps directly to CWE-400, which categorizes it as an Uncontrolled Resource Consumption or Resource Leak, specifically within the context of network routing operations. The attack pattern aligns with ATT&CK technique T1499.004, which involves network denial of service attacks targeting routing infrastructure. The exploit requires minimal privileges and can be executed remotely, making it particularly dangerous in network environments where routers are exposed to untrusted traffic. The vulnerability demonstrates how seemingly benign routing functionality can be weaponized to create catastrophic network outages, highlighting the critical importance of proper resource management in kernel-level networking code.
Mitigation strategies for CVE-2009-0778 primarily involve upgrading to Linux kernel version 2.6.25 or later, where the routing cache management has been corrected to properly handle the cleanup of destination cache entries during ICMP message transmission. System administrators should also implement rate limiting and traffic control measures to prevent the rapid exhaustion of routing cache entries, though this represents a temporary workaround rather than a permanent fix. Network segmentation and proper firewall configuration can help limit the scope of impact by reducing the number of REJECT routes and controlling traffic flow to minimize the attack surface. Additionally, monitoring for unusual routing cache growth patterns and implementing automated alerts for routing table saturation can provide early detection of exploitation attempts.