Vulnerability Note VU#24140
Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic
The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network.
As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a local networks' IP addresses in to globally unique addresses. NAT operates on the assumption that not all of the hosts on a local network need to communicate beyond the local network at the same time. Traditional NAT and Port Address Translation (NAPT or PAT) can map many local addresses to fewer global addresses (possibly just one address), thus reducing the overall need for unique global IPv4 addresses, improving portability, and providing some modest security through the use of RFC 1918 private address space that is not globally routed.
IP Masquerade is a kernel implementation of NAT on Linux. Based on code obtained from The Linux Kernel Archives, IP Masquerade is configured by default to handle UDP translations using "destination loose" (DLOOSE) behavior in kernel versions 2.2.0-pre5 through 2.2.14. This is indicated in ip_masq.c by the presence of the preprocessor directive
DLOOSE behavior poses a security risk because it matches inbound UDP packets based solely on destination IP address and port number. The source IP address and source port of an inbound UDP packet are not taken into consideration. Furthermore, if an inbound UDP packet is matched to a current session, IP Masquerade overwrites the destination IP address and port of the existing session with the source IP address and port of the matching inbound packet. While this modification of the session information does not affect new outbound UDP packets that create new sessions, it may cause outbound UDP packets using the pre-existing session information to be blocked for not matching the new destination IP address and port.
Also by default, IP Masquerade uses a relatively small range of port numbers (61000 to 65095) to track UDP sessions, which minimizes the space an attacker needs to search to find an open session.
RFC 2663 describes this vulnerability:
An attacker could send arbitrary UDP packets to a network behind a vulnerable NAT gateway.
The following information is based on Linux kernel code from The Linux Kernel Archives. Individual distributions may have different default configurations.
Upgrade to Linux kernel version 2.4 or above that incorporates netfilter/iptables.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Mandriva, Inc.||Affected||-||03 Apr 2002|
|SUSE Linux||Affected||-||02 Apr 2002|
|The Linux Kernel Archives||Affected||-||02 Apr 2002|
|Apple Computer, Inc.||Not Affected||23 Apr 2001||12 Jul 2001|
|Hewlett-Packard Company||Not Affected||23 Apr 2001||03 Apr 2002|
|Sun Microsystems, Inc.||Not Affected||23 Apr 2001||12 Jul 2001|
|Berkeley Software Design, Inc.||Unknown||23 Apr 2001||16 Jul 2001|
|Data General||Unknown||23 Apr 2001||16 Jul 2001|
|Debian Linux||Unknown||23 Apr 2001||16 Jul 2001|
|DEC||Unknown||23 Apr 2001||12 Jul 2001|
|FreeBSD, Inc.||Unknown||23 Apr 2001||16 Jul 2001|
|Fujitsu||Unknown||23 Apr 2001||12 Jul 2001|
|IBM Corporation||Unknown||23 Apr 2001||16 Jul 2001|
|NEC Corporation||Unknown||23 Apr 2001||16 Jul 2001|
|NeXT||Unknown||23 Apr 2001||16 Jul 2001|
CVSS Metrics (Learn More)
The CERT Coordination Center acknowledges H. D. Moore for reporting this issue.
This document was written by Art Manion.
- CVE IDs: CVE-2000-0289
- Date Public: 27 Mar 2000
- Date First Published: 02 Apr 2002
- Date Last Updated: 06 May 2008
- Severity Metric: 2.65
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.