SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#24140

Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic

Overview

The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network.

I. Description

As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a local networks' IP addresses in to globally unique addresses. NAT operates on the assumption that not all of the hosts on a local network need to communicate beyond the local network at the same time. Traditional NAT and Port Address Translation (NAPT or PAT) can map many local addresses to fewer global addresses (possibly just one address), thus reducing the overall need for unique global IPv4 addresses, improving portability, and providing some modest security through the use of RFC 1918 private address space that is not globally routed.

IP Masquerade is a kernel implementation of NAT on Linux. Based on code obtained from The Linux Kernel Archives, IP Masquerade is configured by default to handle UDP translations using "destination loose" (DLOOSE) behavior in kernel versions 2.2.0-pre5 through 2.2.14. This is indicated in ip_masq.c by the presence of the preprocessor directive

    #define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
Starting with kernel 2.2.15, the DLOOSE behavior is disabled by default and can be enabled with the following command:
    echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
In Linux kernels 2.4 and above, the firewall and NAT features changed significantly, and DLOOSE behavior is no longer needed since the netfilter/iptables subsystem keeps track of each UDP session.

DLOOSE behavior poses a security risk because it matches inbound UDP packets based solely on destination IP address and port number. The source IP address and source port of an inbound UDP packet are not taken into consideration. Furthermore, if an inbound UDP packet is matched to a current session, IP Masquerade overwrites the destination IP address and port of the existing session with the source IP address and port of the matching inbound packet. While this modification of the session information does not affect new outbound UDP packets that create new sessions, it may cause outbound UDP packets using the pre-existing session information to be blocked for not matching the new destination IP address and port.

Also by default, IP Masquerade uses a relatively small range of port numbers (61000 to 65095) to track UDP sessions, which minimizes the space an attacker needs to search to find an open session.

RFC 2663 describes this vulnerability:
    UDP sessions are inherently unsafe. Responses to a datagram could come from an address different from the target address used by sender ([Ref 4]). As a result, an incoming UDP packet might match the outbound session of a traditional NAT router only in part (the destination address and UDP port number of the packet match, but the source address and port number may not). In such a case, there is a potential security compromise for the NAT device in permitting inbound packets with partial match. This UDP security issue is also inherent to firewalls.
Note that individual Linux distributions may use 2.2 kernels with different DLOOSE settings.

II. Impact

An attacker could send arbitrary UDP packets to a network behind a vulnerable NAT gateway.

III. Solution

The following information is based on Linux kernel code from The Linux Kernel Archives. Individual distributions may have different default configurations.

For Linux kernels 2.2.0-pre5 to 2.2.14, comment out or remove the following line in ip_masq.c and recompile the kernel:

    #define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
For Linux kernels 2.2.15 and above, DLOOSE behavior is disabled by default. To confirm that DLOOSE behavior is disabled, check the existence and contents of the following file:
    /proc/sys/net/ipv4/ip_masq_udp_dloose
If this file exists and contains a '1' or a '2', then the system is configured for DLOOSE behavior. If this file does not exist or contains anything other than the values '1' or '2', then the system is configured not to use DLOOSE behavior.
Upgrade to Linux kernel version 2.4 or above that incorporates netfilter/iptables.

Systems Affected
VendorStatusDate Updated
Apple Computer, Inc.Not Vulnerable12-Jul-2001
Berkeley Software Design, Inc.Unknown16-Jul-2001
Data GeneralUnknown16-Jul-2001
Debian LinuxUnknown16-Jul-2001
DECUnknown12-Jul-2001
FreeBSD, Inc.Unknown16-Jul-2001
FujitsuUnknown12-Jul-2001
Hewlett-Packard CompanyNot Vulnerable3-Apr-2002
IBM CorporationUnknown16-Jul-2001
Mandriva, Inc.Vulnerable3-Apr-2002
NEC CorporationUnknown16-Jul-2001
NeXTUnknown16-Jul-2001
OpenBSDUnknown16-Jul-2001
Red Hat, Inc.Unknown16-Jul-2001
Sequent Computer Systems, Inc.Unknown16-Jul-2001
SGIUnknown16-Jul-2001
Siemens NixdorfUnknown16-Jul-2001
Sony CorporationUnknown16-Jul-2001
Sun Microsystems, Inc.Not Vulnerable12-Jul-2001
SUSE LinuxVulnerable2-Apr-2002
The Linux Kernel ArchivesVulnerable2-Apr-2002
The SCO Group (SCO Linux)Unknown16-Jul-2001
The SCO Group (SCO Unix)Unknown16-Jul-2001
UnisysUnknown16-Jul-2001

References


http://www.securityfocus.com/bid/1078
http://www.securitybugware.org/Linux/692.html
http://www.suse.com/de/support/security/suse_security_announce_48.txt
http://www.ietf.org/html.charters/nat-charter.html
http://www.ietf.org/rfc/rfc1123.txt
http://www.ietf.org/rfc/rfc1631.txt
http://www.ietf.org/rfc/rfc2663.txt
http://www.ietf.org/rfc/rfc2993.txt
http://www.ietf.org/rfc/rfc3235.txt

Credit

The CERT Coordination Center acknowledges H. D. Moore for reporting this issue.

This document was written by Art Manion.

Other Information

Date Public03/27/2000
Date First Published04/02/2002 04:51:46 PM
Date Last Updated05/06/2008
CERT Advisory 
CVE NameCVE-2000-0289
US-CERT Technical Alerts 
Metric2.65
Document Revision48

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader