Vulnerability Note VU#230307

Linux kernel netfilter IRC DCC helper module creates overly permissive firewall rules

Original Release date: 15 Apr 2002 | Last revised: 05 Jul 2002


The "netfilter" firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.


The "netfilter" subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.

In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:

    With IRC DCC, we can only tell the destination IP and port, thus we need an expectation "expect related connection from any ip / any port to this particular port number X at this particular IP address Y".

    Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".

The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.


This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.


Apply a patch from your vendor

To address this vulnerability, the CERT/CC recommends that all users of Linux kernel versions 2.4.x upgrade to the latest kernel version available for their distribution. For vendor-specific information regarding patches and affected versions, please consult the vendor section of this document.

Disable the IRC DCC helper module

If it is not possible or practical to immediately patch an affected device, disabling the IRC DCC helper module will prevent exploitation of this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MandrakeSoftAffected15 Apr 200205 Jul 2002
Netfilter.orgAffected27 Feb 200224 Apr 2002
Red Hat Inc.Affected28 Feb 200224 Apr 2002
ConectivaNot Affected-24 Apr 2002
Hewlett PackardNot Affected04 Mar 200215 Apr 2002
CalderaUnknown15 Apr 200215 Apr 2002
DebianUnknown15 Apr 200215 Apr 2002
EngardeUnknown15 Apr 200215 Apr 2002
SequentUnknown15 Apr 200215 Apr 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CAN-2002-0060
  • Date Public: 25 Feb 2002
  • Date First Published: 15 Apr 2002
  • Date Last Updated: 05 Jul 2002
  • Severity Metric: 5.74
  • Document Revision: 29


If you have feedback, comments, or additional information about this vulnerability, please send us email.