Denys Fedoryshchenko

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.2.24 **Description** The issue allows remote attackers to cause a denial of service by consuming kernel resources through a flood of SYN+FIN TCP packets. This is achieved by exploiting the `tcp rcv state process` function in `net/ipv4/tcp input.c`. **Recommendations** For Linux kernel versions prior to 3.2.24, update to version 3.2.24 or later to resolve the issue. As a temporary workaround, consider implementing network traffic filtering to restrict the influx of SYN+FIN TCP packets.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 2.6.39 **Description** The issue is related to the ip expire function in the Linux kernel, which does not properly construct ICMP TIME EXCEEDED packets after a timeout. This allows remote attackers to cause a denial of service via crafted fragmented packets, resulting in an invalid pointer dereference. **Recommendations** For versions prior to 2.6.39, update to version 2.6.39 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** iptables versions through 1.4.21 **Description** The issue is related to insufficient input validation in the extensions/libxt tcp.c component of the iptables interface, which could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service using a specially crafted packet. The vulnerability might allow remote attackers to bypass intended firewall restrictions via crafted TCP SYN+FIN packets in --syn rules. **Recommendations** For versions through 1.4.21, consider updating to a version that includes the fix for this issue, as the CVE-2012-6638 fix makes this issue less relevant. As a temporary workaround, consider restricting the use of the `--syn` rule to minimize the risk of exploitation.