The "netfilter" firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.
The "netfilter" subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.
In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:
This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.
Apply a patch from your vendor
Disable the IRC DCC helper module
The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.
This document was written by Jeffrey P. Lanza.
|Date First Published:
|Date Last Updated:
|2002-07-05 17:57 UTC