Vulnerability Note VU#230307
Linux kernel netfilter IRC DCC helper module creates overly permissive firewall rules
The "netfilter" firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.
The "netfilter" subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.
In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:
Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".
The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.
This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.
Apply a patch from your vendor
Disable the IRC DCC helper module
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|MandrakeSoft||Affected||15 Apr 2002||05 Jul 2002|
|Netfilter.org||Affected||27 Feb 2002||24 Apr 2002|
|Red Hat Inc.||Affected||28 Feb 2002||24 Apr 2002|
|Conectiva||Not Affected||-||24 Apr 2002|
|Hewlett Packard||Not Affected||04 Mar 2002||15 Apr 2002|
|Caldera||Unknown||15 Apr 2002||15 Apr 2002|
|Debian||Unknown||15 Apr 2002||15 Apr 2002|
|Engarde||Unknown||15 Apr 2002||15 Apr 2002|
|Sequent||Unknown||15 Apr 2002||15 Apr 2002|
CVSS Metrics (Learn More)
The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.
This document was written by Jeffrey P. Lanza.
- CVE IDs: CAN-2002-0060
- Date Public: 25 Feb 2002
- Date First Published: 15 Apr 2002
- Date Last Updated: 05 Jul 2002
- Severity Metric: 5.74
- Document Revision: 29
If you have feedback, comments, or additional information about this vulnerability, please send us email.