SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#230307

Linux kernel netfilter IRC DCC helper module creates overly permissive firewall rules

Overview

The "netfilter" firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.

I. Description

The "netfilter" subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.

In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:

    With IRC DCC, we can only tell the destination IP and port, thus we need an expectation "expect related connection from any ip / any port to this particular port number X at this particular IP address Y".

    Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".

The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.

II. Impact

This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.

III. Solution

Apply a patch from your vendor


To address this vulnerability, the CERT/CC recommends that all users of Linux kernel versions 2.4.x upgrade to the latest kernel version available for their distribution. For vendor-specific information regarding patches and affected versions, please consult the vendor section of this document.
Disable the IRC DCC helper module

If it is not possible or practical to immediately patch an affected device, disabling the IRC DCC helper module will prevent exploitation of this vulnerability.

Systems Affected

VendorStatusDate NotifiedDate Updated
CalderaUnknown15-Apr-2002
ConectivaNot Vulnerable24-Apr-2002
DebianUnknown15-Apr-2002
EngardeUnknown15-Apr-2002
Hewlett PackardNot Vulnerable15-Apr-2002
MandrakeSoftVulnerable5-Jul-2002
Netfilter.orgVulnerable24-Apr-2002
Red Hat Inc.Vulnerable24-Apr-2002
SequentUnknown15-Apr-2002

References


http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
http://www.netfilter.org/documentation/index.html#whatis
http://www.redhat.com/support/errata/RHSA-2002-028.html
http://www.securityfocus.com/bid/4188

Credit

The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:2002-02-25
Date First Published:2002-04-15
Date Last Updated:2002-07-05
CERT Advisory: 
CVE-ID(s):CAN-2002-0060
NVD-ID(s):CAN-2002-0060
US-CERT Technical Alerts: 
Metric:5.74
Document Revision:29

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader