Vulnerability Note VU#24140

Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic

Original Release date: 02 Apr 2002 | Last revised: 06 May 2008

Overview

The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network.

Description

As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a local networks' IP addresses in to globally unique addresses. NAT operates on the assumption that not all of the hosts on a local network need to communicate beyond the local network at the same time. Traditional NAT and Port Address Translation (NAPT or PAT) can map many local addresses to fewer global addresses (possibly just one address), thus reducing the overall need for unique global IPv4 addresses, improving portability, and providing some modest security through the use of RFC 1918 private address space that is not globally routed.

IP Masquerade is a kernel implementation of NAT on Linux. Based on code obtained from The Linux Kernel Archives, IP Masquerade is configured by default to handle UDP translations using "destination loose" (DLOOSE) behavior in kernel versions 2.2.0-pre5 through 2.2.14. This is indicated in ip_masq.c by the presence of the preprocessor directive

    #define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
Starting with kernel 2.2.15, the DLOOSE behavior is disabled by default and can be enabled with the following command:
    echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
In Linux kernels 2.4 and above, the firewall and NAT features changed significantly, and DLOOSE behavior is no longer needed since the netfilter/iptables subsystem keeps track of each UDP session.

DLOOSE behavior poses a security risk because it matches inbound UDP packets based solely on destination IP address and port number. The source IP address and source port of an inbound UDP packet are not taken into consideration. Furthermore, if an inbound UDP packet is matched to a current session, IP Masquerade overwrites the destination IP address and port of the existing session with the source IP address and port of the matching inbound packet. While this modification of the session information does not affect new outbound UDP packets that create new sessions, it may cause outbound UDP packets using the pre-existing session information to be blocked for not matching the new destination IP address and port.

Also by default, IP Masquerade uses a relatively small range of port numbers (61000 to 65095) to track UDP sessions, which minimizes the space an attacker needs to search to find an open session.

RFC 2663 describes this vulnerability:
    UDP sessions are inherently unsafe. Responses to a datagram could come from an address different from the target address used by sender ([Ref 4]). As a result, an incoming UDP packet might match the outbound session of a traditional NAT router only in part (the destination address and UDP port number of the packet match, but the source address and port number may not). In such a case, there is a potential security compromise for the NAT device in permitting inbound packets with partial match. This UDP security issue is also inherent to firewalls.
Note that individual Linux distributions may use 2.2 kernels with different DLOOSE settings.

Impact

An attacker could send arbitrary UDP packets to a network behind a vulnerable NAT gateway.

Solution

The following information is based on Linux kernel code from The Linux Kernel Archives. Individual distributions may have different default configurations.
For Linux kernels 2.2.0-pre5 to 2.2.14, comment out or remove the following line in ip_masq.c and recompile the kernel:

    #define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
For Linux kernels 2.2.15 and above, DLOOSE behavior is disabled by default. To confirm that DLOOSE behavior is disabled, check the existence and contents of the following file:
    /proc/sys/net/ipv4/ip_masq_udp_dloose
If this file exists and contains a '1' or a '2', then the system is configured for DLOOSE behavior. If this file does not exist or contains anything other than the values '1' or '2', then the system is configured not to use DLOOSE behavior.

Upgrade to Linux kernel version 2.4 or above that incorporates netfilter/iptables.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Mandriva, Inc.Affected-03 Apr 2002
SUSE LinuxAffected-02 Apr 2002
The Linux Kernel ArchivesAffected-02 Apr 2002
Apple Computer, Inc.Not Affected23 Apr 200112 Jul 2001
Hewlett-Packard CompanyNot Affected23 Apr 200103 Apr 2002
Sun Microsystems, Inc.Not Affected23 Apr 200112 Jul 2001
Berkeley Software Design, Inc.Unknown23 Apr 200116 Jul 2001
Data GeneralUnknown23 Apr 200116 Jul 2001
Debian LinuxUnknown23 Apr 200116 Jul 2001
DECUnknown23 Apr 200112 Jul 2001
FreeBSD, Inc.Unknown23 Apr 200116 Jul 2001
FujitsuUnknown23 Apr 200112 Jul 2001
IBM CorporationUnknown23 Apr 200116 Jul 2001
NEC CorporationUnknown23 Apr 200116 Jul 2001
NeXTUnknown23 Apr 200116 Jul 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT Coordination Center acknowledges H. D. Moore for reporting this issue.

This document was written by Art Manion.

Other Information

  • CVE IDs: CVE-2000-0289
  • Date Public: 27 Mar 2000
  • Date First Published: 02 Apr 2002
  • Date Last Updated: 06 May 2008
  • Severity Metric: 2.65
  • Document Revision: 48

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.