CVE-2020-25705
First published: Wed Nov 04 2020(Updated: )
A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1160.21.1.rt56.1158.el7 | 0:3.10.0-1160.21.1.rt56.1158.el7 |
| redhat/kernel | <0:3.10.0-1160.21.1.el7 | 0:3.10.0-1160.21.1.el7 |
| redhat/kernel | <0:3.10.0-693.87.1.el7 | 0:3.10.0-693.87.1.el7 |
| redhat/kernel | <0:3.10.0-957.76.1.el7 | 0:3.10.0-957.76.1.el7 |
| redhat/kernel | <0:3.10.0-1062.49.1.el7 | 0:3.10.0-1062.49.1.el7 |
| redhat/kernel-rt | <0:4.18.0-240.15.1.rt7.69.el8_3 | 0:4.18.0-240.15.1.rt7.69.el8_3 |
| redhat/kernel | <0:4.18.0-240.15.1.el8_3 | 0:4.18.0-240.15.1.el8_3 |
| redhat/kernel | <0:4.18.0-147.43.1.el8_1 | 0:4.18.0-147.43.1.el8_1 |
| redhat/kernel-rt | <0:4.18.0-193.46.1.rt13.96.el8_2 | 0:4.18.0-193.46.1.rt13.96.el8_2 |
| redhat/kernel | <0:4.18.0-193.46.1.el8_2 | 0:4.18.0-193.46.1.el8_2 |
| redhat/kernel | <5.10 | 5.10 |
| Linux Kernel | <5.10.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 | |
| Siemens Ruggedcom RM1224 LTE(4G) EU | >=5.0<=6.4 | |
| Siemens Scalance M-800 Firmware | >=5.0<=6.4 | |
| Siemens SCALANCE S615 firmware | >=5.0<=6.4 | |
| Siemens SCALANCE SC-600 | <2.1.3 | 2.1.3 |
| Siemens Scalance W1750D Firmware | =8.3.0.1=8.6.0=8.7.0 | |
| Siemens SIMATIC MV500 Family | ||
| Siemens SIMATIC NET CP 1243-7 LTE EU | >=3.1.39<3.3 | 3.3 |
| Siemens SIMATIC NET CP 1243-7 LTE US | >=3.1.39<3.3 | 3.3 |
| Siemens Simatic CP 1242-7 GPRS Firmware | >=3.1.39<3.3 | 3.3 |
| Siemens SIMATIC NET CP 1542SP-1 IRC (incl. SIPLUS variants) (6GK7243-8RX30-0XE0) | >=2.0 | |
| Siemens SIMATIC NET CP 1542SP-1 | >=2.0 | |
| Siemens SIMATIC NET CP 1543-1 | <3.0 | 3.0 |
| Siemens SIMATIC NET CP 1543SP-1 (incl. SIPLUS variants) | >=2.0 | |
| Siemens SIMATIC NET CP 1545-1 | <1.1 | 1.1 |
| Android |
Remedy
The mitigation is to disable ICMP destination unreachable messages. The commands to disable UDP port unreachable ICMP reply messages: iptables -I OUTPUT -p icmp --icmp-type destination-unreachable -j DROP service iptables save For additional information about "service iptables save" please read https://access.redhat.com/solutions/1597703 It is not recommended to apply this rule if host being used as forwarder (router) of IP packets. Or it is possible to use this firewall-cmd instead of iptables and the result is similar: firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type destination-unreachable -j DROP
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-25705 https://nvd.nist.gov/vuln/detail/CVE-2020-25705
- https://bugzilla.redhat.com/show_bug.cgi?id=1894579
- https://access.redhat.com/errata/RHSA-2021:0857
- https://access.redhat.com/errata/RHSA-2021:0856
- https://access.redhat.com/errata/RHSA-2021:2164
- https://access.redhat.com/errata/RHSA-2021:2355
- https://access.redhat.com/errata/RHSA-2021:1531
- https://access.redhat.com/errata/RHSA-2021:0537
- https://access.redhat.com/errata/RHSA-2021:0558
- https://access.redhat.com/errata/RHSA-2021:0686
- https://access.redhat.com/errata/RHSA-2021:0774
- https://access.redhat.com/errata/RHSA-2021:0765
- https://access.redhat.com/security/cve/cve-2020-25705
- https://us-cert.cisa.gov/ics/advisories/icsa-21-131-03
- https://launchpad.net/bugs/cve/CVE-2020-25705
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-131-03 (Advisory)
- https://github.com/torvalds/linux/commit/b38e7819cae946e2edf869e604
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1897656
- https://access.redhat.com/solutions/1597703
- https://android.googlesource.com/kernel/common/+/d6c552505c0d1719dda42b4af2def0618bd7bf54
- https://source.android.com/docs/security/bulletin/2021-04-01 (Advisory)
- https://git.kernel.org/linus/b38e7819cae946e2edf869e604af1e65a5d241c5
- https://www.saddns.net/
- https://security-tracker.debian.org/tracker/CVE-2020-25705
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705
- https://nvd.nist.gov/vuln/detail/CVE-2020-25705
- https://ubuntu.com/security/CVE-2020-25705
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-25705?
The severity of CVE-2020-25705 is classified as medium, given its potential for remote exploitation.
How do I fix CVE-2020-25705?
To fix CVE-2020-25705, upgrade to the patched kernel versions provided in the security advisories from your Linux distribution.
Which Linux distributions are affected by CVE-2020-25705?
CVE-2020-25705 primarily affects Red Hat Enterprise Linux and related distributions, including various versions of the Linux kernel.
Can CVE-2020-25705 be exploited remotely?
Yes, CVE-2020-25705 can be exploited by an off-path remote attacker to bypass UDP source port randomization.
What impact does CVE-2020-25705 have on applications using UDP?
Applications that rely on UDP source port randomization are indirectly affected by CVE-2020-25705, potentially exposing them to scanning or probing by attackers.
- collector/redhat-cve
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25705
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- collector/ics-cert-advisory
- source/ICS
- agent/softwarecombine
- agent/tags
- collector/android-source
- source/Android
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- package-manager/debian
- vendor/siemens
- canonical/siemens ruggedcom rm1224 lte(4g) eu
- version/siemens ruggedcom rm1224 lte(4g) eu/5.0
- version/siemens ruggedcom rm1224 lte(4g) eu/6.4
- canonical/siemens scalance m-800 firmware
- version/siemens scalance m-800 firmware/5.0
- version/siemens scalance m-800 firmware/6.4
- canonical/siemens scalance s615 firmware
- version/siemens scalance s615 firmware/5.0
- version/siemens scalance s615 firmware/6.4
- canonical/siemens scalance sc-600
- canonical/siemens scalance w1750d firmware
- version/siemens scalance w1750d firmware/8.3.0.1
- version/siemens scalance w1750d firmware/8.6.0
- version/siemens scalance w1750d firmware/8.7.0
- canonical/siemens simatic mv500 family
- canonical/siemens simatic net cp 1243-7 lte eu
- version/siemens simatic net cp 1243-7 lte eu/3.1.39
- canonical/siemens simatic net cp 1243-7 lte us
- version/siemens simatic net cp 1243-7 lte us/3.1.39
- canonical/siemens simatic cp 1242-7 gprs firmware
- version/siemens simatic cp 1242-7 gprs firmware/3.1.39
- canonical/siemens simatic net cp 1542sp-1 irc (incl. siplus variants) (6gk7243-8rx30-0xe0)
- version/siemens simatic net cp 1542sp-1 irc (incl. siplus variants) (6gk7243-8rx30-0xe0)/2.0
- canonical/siemens simatic net cp 1542sp-1
- version/siemens simatic net cp 1542sp-1/2.0
- canonical/siemens simatic net cp 1543-1
- canonical/siemens simatic net cp 1543sp-1 (incl. siplus variants)
- version/siemens simatic net cp 1543sp-1 (incl. siplus variants)/2.0
- canonical/siemens simatic net cp 1545-1
- vendor/google
- canonical/android