icmp: Add icmp_timestamp_ignore_all to control ICMP_TIMESTAMP

YeXingchen · NipaLocal · commit 85791b6c58a4 · 2024-05-20T23:00:32.000-07:00
The CVE-1999-0524 vulnerability is associated with ICMP timestamp messages, which can be exploited to conduct a denial-of-service (DoS) attack. In the Vulnerability Priority Rating (VPR) system, this vulnerability was rated as a medium risk in May of this year. Link:https://www.tenable.com/plugins/nessus/10113 To protect embedded systems that cannot run firewalls from attacks exploiting the CVE-1999-0524 vulnerability, the icmp_timestamp_ignore_all sysctl is offered as an easy solution, which allows all ICMP timestamp messages to be ignored, effectively bypassing the potential exploitation through the CVE-1999-0524 vulnerability. It enables these resource-constrained systems to disregard all ICMP timestamp messages, preventing potential DoS attacks, making it an ideal lightweight solution for such environments. Signed-off-by: YeXingchen <ye.xingchen@zte.com.cn> Reviewed-by: xu xin <xu.xin16@zte.com.cn> Reviewed-by: zhang yunkai <zhang.yunkai@zte.com.cn> Reviewed-by: Fan Yu <fan.yu9@zte.com.cn> CC: he peilin <he.peilin@zte.com.cn> Cc: Yang Yang <yang.yang29@zte.com.cn> Cc: Yang Guang <yang.guang5@zte.com.cn> Signed-off-by: NipaLocal <nipa@local>
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
@@ -1441,6 +1441,12 @@ icmp_ratelimit - INTEGER
 
 	Default: 1000
 
+icmp_timestamp_ignore_all - BOOLEAN
+	If set non-zero, then the kernel will ignore all ICMP TIMESTAMP
+	requests sent to it.
+
+	Default: 0
+
 icmp_msgs_per_sec - INTEGER
 	Limit maximal number of ICMP packets sent per second from this host.
 	Only messages whose type matches icmp_ratemask (see below) are
diff --git a/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst b/Documentation/networking/net_cachelines/netns_ipv4_sysctl.rst
@@ -38,6 +38,7 @@ u8                              sysctl_icmp_ignore_bogus_error_responses
 u8                              sysctl_icmp_errors_use_inbound_ifaddr                                                
 int                             sysctl_icmp_ratelimit                                                                
 int                             sysctl_icmp_ratemask                                                                 
+u8                              sysctl_icmp_timestamp_ignore_all
 u32                             ip_rt_min_pmtu                               -                   -                   
 int                             ip_rt_mtu_expires                            -                   -                   
 int                             ip_rt_min_advmss                             -                   -                   
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
@@ -113,6 +113,7 @@ struct netns_ipv4 {
 	u8 sysctl_icmp_echo_ignore_broadcasts;
 	u8 sysctl_icmp_ignore_bogus_error_responses;
 	u8 sysctl_icmp_errors_use_inbound_ifaddr;
+	u8 sysctl_icmp_timestamp_ignore_all;
 	int sysctl_icmp_ratelimit;
 	int sysctl_icmp_ratemask;
 
diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
@@ -426,6 +426,7 @@ enum
 	NET_TCP_ALLOWED_CONG_CONTROL=123,
 	NET_TCP_MAX_SSTHRESH=124,
 	NET_TCP_FRTO_RESPONSE=125,
+	NET_IPV4_ICMP_TIMESTAMP_IGNORE_ALL = 126,
 };
 
 enum {
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
@@ -1152,6 +1152,13 @@ EXPORT_SYMBOL_GPL(icmp_build_probe);
 static enum skb_drop_reason icmp_timestamp(struct sk_buff *skb)
 {
 	struct icmp_bxm icmp_param;
+	struct net *net;
+
+	net = dev_net(skb_dst(skb)->dev);
+
+	if (READ_ONCE(net->ipv4.sysctl_icmp_timestamp_ignore_all))
+		return SKB_NOT_DROPPED_YET;
+
 	/*
 	 *	Too short.
 	 */
@@ -1469,6 +1476,9 @@ static int __net_init icmp_sk_init(struct net *net)
 	net->ipv4.sysctl_icmp_echo_enable_probe = 0;
 	net->ipv4.sysctl_icmp_echo_ignore_broadcasts = 1;
 
+	/* Control parameters for TIMESTAMP replies. */
+	net->ipv4.sysctl_icmp_timestamp_ignore_all = 0;
+
 	/* Control parameter - ignore bogus broadcast responses? */
 	net->ipv4.sysctl_icmp_ignore_bogus_error_responses = 1;
 
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
@@ -651,6 +651,15 @@ static struct ctl_table ipv4_net_table[] = {
 		.mode		= 0644,
 		.proc_handler	= ipv4_ping_group_range,
 	},
+	{
+		.procname	= "icmp_timestamp_ignore_all",
+		.data		= &init_net.ipv4.sysctl_icmp_timestamp_ignore_all,
+		.maxlen		= sizeof(u8),
+		.mode		= 0644,
+		.proc_handler	= proc_dou8vec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE
+	},
 #ifdef CONFIG_NET_L3_MASTER_DEV
 	{
 		.procname	= "raw_l3mdev_accept",
