Network Service Malformed Data Remote DoS

[mehmetmirac]

Hi expert

As a result of Nessus scans, we noticed that this vulnerability came to our servers. --> https://www.tenable.com/plugins/nessus/17296

Interestingly, it appears in some of our server tiers, while others do not. I wanted to do research on this vulnerability, but I couldn't find much information on the internet.

We tried some methods to fix this problem. One of them was adding rule with mangle table. We examined the ip tables procedure and saw that this method is used in many places to take precautions against DoS attacks. We added it as an iptables rule on our own server and looked at the results we got.

Added Rule

Code: Select all

Block Invalid Packets
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
This rule blocks all packets that are not a SYN packet and don’t belong to an established TCP connection.

Block New Packets That Are Not SYN
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

But that didn't work either. While some of our servers did not see the error, some of them were seen again.

What could be the reason for this error? How is it resolved? I need such ideas. Thanks in advance for the answers

[TrevorH]

I'd be pretty sure that is a false positive detection. The nessus page you linked to says this is CVE-1999-1196 so it's an over 20 years old CVE. The product it's listed against in the CVE database is Hummingbird Exceed which is or was an X Windows implementation for Microsoft Windows. The chances of you having that package installed on a linux server is slim to non-existent.

https://nvd.nist.gov/vuln/detail/CVE-1999-1196

[mehmetmirac]

Thx for information