CVE-1999-1339 is a vulnerability affecting Linux kernel versions 2.2.10 and earlier when Network Address Translation (NAT) is enabled using ipchains, as well as FreeBSD version 3.2 when using ipfw. The vulnerability arises from improper handling of ICMP echo requests with the record route (ping -R) option. Specifically, a remote attacker can send crafted ping -R packets that trigger a kernel panic, causing a denial of service (DoS) condition. This vulnerability exploits weaknesses in the network stack's processing of ICMP packets when NAT is active, leading to instability or crash of the affected system's kernel. The vulnerability does not affect confidentiality or integrity but impacts availability by crashing the system. The CVSS score assigned is 5.0 (medium severity), reflecting the network attack vector, low attack complexity, no authentication required, and impact limited to availability. Patches addressing this issue are available, notably Linux kernel patch 2.2.11 and corresponding FreeBSD updates. No known exploits have been reported in the wild, but the vulnerability remains relevant for legacy systems still running these outdated kernel versions with NAT enabled.

For European organizations, the primary impact of this vulnerability is the potential for denial of service attacks against critical network infrastructure running legacy Linux 2.2.x or FreeBSD 3.2 systems with NAT enabled. Such systems might be found in industrial control environments, embedded devices, or legacy servers that have not been updated. A successful attack could cause network outages or disruption of services dependent on these systems, affecting business continuity. While modern systems are not affected, organizations with legacy infrastructure in sectors such as manufacturing, telecommunications, or government may face operational risks. The vulnerability does not expose sensitive data or allow unauthorized access, but the loss of availability could have cascading effects on dependent services and processes. Given the age of the affected software, the risk is mitigated if systems have been updated; however, organizations with legacy deployments should assess exposure carefully.

Organizations should immediately verify whether any systems are running Linux kernel 2.2.10 or earlier with ipchains NAT enabled, or FreeBSD 3.2 with ipfw NAT enabled. If such systems are identified, they should be upgraded to patched versions—Linux kernel 2.2.11 or later, or updated FreeBSD releases that address this vulnerability. If upgrading is not immediately feasible, disabling NAT functionality or blocking ICMP echo requests with the record route option at network perimeter devices can reduce exposure. Network intrusion detection systems should be configured to alert on suspicious ICMP packets with record route flags. Additionally, organizations should conduct network segmentation to isolate legacy systems and implement strict firewall rules to limit ICMP traffic from untrusted sources. Regular audits of legacy infrastructure and patch management processes are critical to prevent exploitation.