Software Engineering Institute

The "netfilter" subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.

In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:

With IRC DCC, we can only tell the destination IP and port, thus we need an expectation "expect related connection from any ip / any port to this particular port number X at this particular IP address Y".

Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".

The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.

This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.

Apply a patch from your vendor

To address this vulnerability, the CERT/CC recommends that all users of Linux kernel versions 2.4.x upgrade to the latest kernel version available for their distribution. For vendor-specific information regarding patches and affected versions, please consult the vendor section of this document.

Disable the IRC DCC helper module

If it is not possible or practical to immediately patch an affected device, disabling the IRC DCC helper module will prevent exploitation of this vulnerability.