search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Linux kernel netfilter IRC DCC helper module creates overly permissive firewall rules

Vulnerability Note VU#230307

Original Release Date: 2002-03-01 | Last Revised: 2002-07-05

Overview

The "netfilter" firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.

Description

The "netfilter" subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.

In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:

With IRC DCC, we can only tell the destination IP and port, thus we need an expectation "expect related connection from any ip / any port to this particular port number X at this particular IP address Y".

Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".

The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.

Impact

This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.

Solution

Apply a patch from your vendor

To address this vulnerability, the CERT/CC recommends that all users of Linux kernel versions 2.4.x upgrade to the latest kernel version available for their distribution. For vendor-specific information regarding patches and affected versions, please consult the vendor section of this document.

Disable the IRC DCC helper module

If it is not possible or practical to immediately patch an affected device, disabling the IRC DCC helper module will prevent exploitation of this vulnerability.

Vendor Information

230307
 

CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: CVE-2002-0060
Severity Metric: 5.74
Date Public: 2002-02-25
Date First Published: 2002-03-01
Date Last Updated: 2002-07-05 17:57 UTC
Document Revision: 30

Sponsored by CISA.