The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network.
As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a local networks' IP addresses in to globally unique addresses. NAT operates on the assumption that not all of the hosts on a local network need to communicate beyond the local network at the same time. Traditional NAT and Port Address Translation (NAPT or PAT) can map many local addresses to fewer global addresses (possibly just one address), thus reducing the overall need for unique global IPv4 addresses, improving portability, and providing some modest security through the use of RFC 1918 private address space that is not globally routed.
IP Masquerade is a kernel implementation of NAT on Linux. Based on code obtained from The Linux Kernel Archives, IP Masquerade is configured by default to handle UDP translations using "destination loose" (DLOOSE) behavior in kernel versions 2.2.0-pre5 through 2.2.14. This is indicated in ip_masq.c by the presence of the preprocessor directive
An attacker could send arbitrary UDP packets to a network behind a vulnerable NAT gateway.
The following information is based on Linux kernel code from The Linux Kernel Archives. Individual distributions may have different default configurations.
Upgrade to Linux kernel version 2.4 or above that incorporates netfilter/iptables.
The Linux Kernel Archives
Apple Computer, Inc.
Sun Microsystems, Inc.
Berkeley Software Design, Inc.
Red Hat, Inc.
Sequent Computer Systems, Inc.
The SCO Group (SCO Linux)
The SCO Group (SCO Unix)
The CERT Coordination Center acknowledges H. D. Moore for reporting this issue.
This document was written by Art Manion.
|Date First Published:||2002-04-02|
|Date Last Updated:||2008-05-06 20:47 UTC|