Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Linux Kernel 'Netfilter' Firewall Software Has an IRC DCC Protocol Connection Tracker Bug That May Let Remote Users Access Protected Hosts in Certain Situations
|
|
SecurityTracker Alert ID: 1003679 |
|
SecurityTracker URL: http://securitytracker.com/id/1003679
|
|
CVE Reference:
CAN-2002-0060
(Links to External Site)
|
Date: Feb 27 2002
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 2.4.14 to 2.4.18-pre8
|
Description:
A vulnerability was reported in the Linux kernel 'netfilter' firewall software that may allow remote users to access protected hosts in certain situations, depending on the firewall rule set.
It is reported that the netfilter connection tracking helper module for the Internet Relay Chat (IRC) Direct Client-to-Client (DCC) protocol contains a flaw. This module is designed to monitor outgoing DCC CHAT/SEND requests and issue 'conntrack expectations' about the pending inbound DCC connections. According to the report, the conntrack expectation is less precise than it should be, causing unwanted ports for inbound connections to be opened on the firewall.
The conntrack expectation is reportedly described by a 5-tuple (layer 4 protocol, source ip, source port, destination ip, destination port) and a mask that indicates the parts of the tuple that must match for a new connection to be accepted. An implementation bug apparently causes the mask to be too wide in specifying the destination IP address (allowing any destination IP instead of a specific one). As a result, incoming connection requests are only matched on the destination port number and not the destination IP address.
The vendor credits Jozsef Kadlecsik with discovering this bug.
|
Impact:
The impact reportedly depends on the ruleset in effect on the firewall. In some cases (with, for example, a permissive "-m state --state RELATED -j ACCEPT" rule), a remote user may be able to traverse the firewall on a single port number to any destination IP address behind the firewall as soon as a user on the inside of the firewall issues an outbound IRC DCC request specifying that port number.
|
Solution:
The vendor has released a fix. Users can update to a >= 2.4.18-pre9 kernel or can apply a patch. The patch is provided at the Vendor URL (and is contained in the Source Message).
|
Vendor URL: www.netfilter.org/security/2002-02-25-irc-dcc-mask.html (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 27 Feb 2002 15:02:50 +0100
Subject: security advisory linux 2.4.x ip_conntrack_irc
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Important security announcement of the netfilter project, 25 Feb 2002
(http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html).
SUBJECT: IRC connection tracking helper module
SUMMARY: IRC connection tracking opens unwanted ports
SYSTEM: All Linux kernel versions from 2.4.14 to 2.4.18-pre8
SOLUTION: Apply attached patch
CREDITS: Jozsef Kadlecsik <kadlec@netfilter.org>,
Harald Welte <laforge@netfilter.org>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0060 to this issue.
DESCRIPTION
===========
The netfilter subsystem in Linux kernels >= 2.4.14 contains a connection
tracking helper module for the IRC DCC protocol. The purpose of this module is
to monitor outgoing DCC CHAT/SEND requests and issue so-called 'conntrack
expectations' about the respective inbound DCC connections.
A bug in the implementation of this module causes the conntrack expectation to
be less precise than it should, resulting in unwanted ports for inbound
connections opened on the firewall.
The conntrack expectation is described by a tuple (layer 4 protocol, source ip,
source port, destination ip, destination port) and mask indicating which parts
of the tuple need to match with a new connection in order to be fulfilled.
With IRC DCC, we can only tell the destination IP and port, thus we need
an expectation "expect related connection from any ip / any port to this
particular port number X at this particular IP address Y".
Due to the implementation bug, however, the mask was to wide. The conntrack
helper really says "expect related connection from any ip / any port to
this particular port X at ANY IP".
As a result, incoming connection requests are only matched on the destination
port number, and nothing else.
This does not always need to result in this unwanted incoming connection
request to be allowed. It always depends on the ruleset, since connection
tracking only decides on the state of a packet.
IMPLICATIONS
============
The implications depend on the ruleset, since connection tracking only
assigns state to packets. What to do with this state information is up
to the user.
However, a big number of installation seem to have a very
permissive "-m state --state RELATED -j ACCEPT" rule. In this case,
as soon as somebody from inside the private network issues a IRC DCC
request, a single connection from the outside network to the port number
stated in the DCC request on any (internal) IP adddres will get accepted.
SOLUTION
- --------
Update to a >= 2.4.18-pre9 kernel OR apply the following patch:
- --- linux-2.4.18-pre8-plain/net/ipv4/netfilter/ip_conntrack_irc.c Sat Dec 22 18:52:16 2001
+++ linux-2.4.18-pre8-nfpom/net/ipv4/netfilter/ip_conntrack_irc.c Tue Feb 5 15:55:29 2002
@@ -1,8 +1,8 @@
- -/* IRC extension for IP connection tracking, Version 1.20
- - * (C) 2000-2001 by Harald Welte <laforge@gnumonks.org>
+/* IRC extension for IP connection tracking, Version 1.21
+ * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
* based on RR's ip_conntrack_ftp.c
*
- - * ip_conntrack_irc.c,v 1.20 2001/12/06 07:42:10 laforge Exp
+ * ip_conntrack_irc.c,v 1.21 2002/02/05 14:49:26 laforge Exp
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
@@ -112,9 +112,9 @@
struct ip_ct_irc *info = &ct->help.ct_irc_info;
- - memset(&mask, 0, sizeof(struct ip_conntrack_tuple));
- - mask.dst.u.tcp.port = 0xFFFF;
- - mask.dst.protonum = 0xFFFF;
+ mask = ((struct ip_conntrack_tuple)
+ { { 0, { 0 } },
+ { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
DEBUGP("entered\n");
/* Can't track connections formed before we registered */
CREDITS
=======
Jozsef Kadlecsik has discovered this bug initially, Harald Welte has
written the patch.
COPYRIGHT
=========
This advisory is copyright (C) 2002 by the netfilter core team.
Redistribution is permitted after 25 Feb 2002, provided the contents of the
advisory is not modified in any way.
Live long and prosper
- - Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8fOP0NfqJzMqajVsRAsSUAJoDzbvV6eoAgzff3pgKmhxUFPMXrgCgoIka
jec/ptqtuYwqyh8CEN419nU=
=nuYQ
-----END PGP SIGNATURE-----
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
|
|
Go to the Top of This SecurityTracker Archive Page
|
