CVE-2002-2438

Vulnerability

The Linux kernel’s TCP/IP stack (versions prior to 2.4.20) improperly processes packets that have both the SYN and RST flags set. According to RFC 793, such flag combinations are invalid. The Linux kernel would accept these packets, which would be discarded by RFC-compliant firewalls [1][2][4]. This allows an attacker to craft packets that pass through a firewall undetected and are processed by the target [3]. The issue was originally addressed in Linux 2.4.20, but CVE-2002-2438 was reserved later for the SYN+RST variant [1][4].

Exploitation

An attacker with network access crafts TCP packets with both SYN and RST flags set. This causes the firewall to either forward them (believing they are already rejected) or mishandle them [1][4]. The attacker can then send these packets to probe a target system’s open ports or launch a denial of service by overwhelming the host’s TCP connection handling [2][3]. No authentication or special privileges are required beyond the ability to send raw packets.

Impact

Successful exploitation allows an attacker to bypass firewall rules, potentially mapping open ports that the firewall intended to block, or triggering a denial-of-service condition on the target system by exhausting resources [1][2][4]. The vulnerability leads to information disclosure (port scanning) and availability impact. The attacker does not gain code execution or elevated privileges.

Mitigation

The vulnerability was fixed in Linux kernel 2.4.20 (released 2002) by checking for the RST flag in SYN packets [4]. Systems running kernel versions prior to 2.4.20 should be upgraded. No known workaround exists if patching is not possible. This CVE is not listed on the CISA Known Exploited Vulnerabilities Catalog (KEV). [1][2][4]