CERT/CC Vulnerability Note VU#24140

Overview

The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network.

Description

As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a local networks' IP addresses in to globally unique addresses. NAT operates on the assumption that not all of the hosts on a local network need to communicate beyond the local network at the same time. Traditional NAT and Port Address Translation (NAPT or PAT) can map many local addresses to fewer global addresses (possibly just one address), thus reducing the overall need for unique global IPv4 addresses, improving portability, and providing some modest security through the use of RFC 1918 private address space that is not globally routed.

IP Masquerade is a kernel implementation of NAT on Linux. Based on code obtained from The Linux Kernel Archives, IP Masquerade is configured by default to handle UDP translations using "destination loose" (DLOOSE) behavior in kernel versions 2.2.0-pre5 through 2.2.14. This is indicated in ip_masq.c by the presence of the preprocessor directive

#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
Starting with kernel 2.2.15, the DLOOSE behavior is disabled by default and can be enabled with the following command:
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
In Linux kernels 2.4 and above, the firewall and NAT features changed significantly, and DLOOSE behavior is no longer needed since the netfilter/iptables subsystem keeps track of each UDP session.

DLOOSE behavior poses a security risk because it matches inbound UDP packets based solely on destination IP address and port number. The source IP address and source port of an inbound UDP packet are not taken into consideration. Furthermore, if an inbound UDP packet is matched to a current session, IP Masquerade overwrites the destination IP address and port of the existing session with the source IP address and port of the matching inbound packet. While this modification of the session information does not affect new outbound UDP packets that create new sessions, it may cause outbound UDP packets using the pre-existing session information to be blocked for not matching the new destination IP address and port.

Also by default, IP Masquerade uses a relatively small range of port numbers (61000 to 65095) to track UDP sessions, which minimizes the space an attacker needs to search to find an open session.

RFC 2663 describes this vulnerability:
UDP sessions are inherently unsafe. Responses to a datagram could come from an address different from the target address used by sender ([Ref 4]). As a result, an incoming UDP packet might match the outbound session of a traditional NAT router only in part (the destination address and UDP port number of the packet match, but the source address and port number may not). In such a case, there is a potential security compromise for the NAT device in permitting inbound packets with partial match. This UDP security issue is also inherent to firewalls.
Note that individual Linux distributions may use 2.2 kernels with different DLOOSE settings.

Impact

An attacker could send arbitrary UDP packets to a network behind a vulnerable NAT gateway.

Solution

The following information is based on Linux kernel code from The Linux Kernel Archives. Individual distributions may have different default configurations.
For Linux kernels 2.2.0-pre5 to 2.2.14, comment out or remove the following line in ip_masq.c and recompile the kernel:

#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
For Linux kernels 2.2.15 and above, DLOOSE behavior is disabled by default. To confirm that DLOOSE behavior is disabled, check the existence and contents of the following file:

/proc/sys/net/ipv4/ip_masq_udp_dloose
If this file exists and contains a '1' or a '2', then the system is configured for DLOOSE behavior. If this file does not exist or contains anything other than the values '1' or '2', then the system is configured not to use DLOOSE behavior.

Upgrade to Linux kernel version 2.4 or above that incorporates netfilter/iptables.

Vendor Information

24140

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Mandriva, Inc. Affected

Updated: April 03, 2002

Status

Affected

Vendor Statement

Conectiva released Conectiva Linux Security Announcement CLSA-2000:72 (Portuguese) on 2000-06-08.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Updated: April 02, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

SuSE Security Announcement

Package: kernel < 2.2.15
Date: Wed, 17 May 2000 18:24:50 GMT

Affected SuSE versions: 6.1 - 6.4
Vulnerability Type: bypass ipchains filter rules
denial of service
SuSE default package: yes
Other affected systems: all linux versions using kernel 2.2.x and
several stateful firewall packages
______________________________________________________________________________

A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).

Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.

Please note that we provide this information on an "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
_____________________________________________________________________________

1. Problem Description

The masquerading feature in the Linux kernel has got a vulnerability in
the udp and ftp masquerading code which allows arbitary backward
connections to be opened.
Some denial of service were found.

2. Impact

Remote users may bypass ipchains filter rules protecting the internal
network.
Users can crash the machine.

3. Solution

Update the package from our FTP server.
Please note that we provide a patched 2.2.14 kernel to ensure stability
and not the 2.2.15 kernel.
______________________________________________________________________________

Please verify these md5 checksums of the updates before installing:
(NOTE: the 6.4 updates fit 6.1 to 6.3 as well)

765e268875a7716f681c14389a1c9b9b ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel/k_deflt.rpm
be6ee213f0cafd4dac5c51a2a8d100f0 ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel/k_eide.rpm
b900eb9f47c94df5cc15721e5f96a58e ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel/k_i386.rpm
37deca6ee856c3242a13c2a24f32fc7f ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/lx_suse-2.2.14.SuSE-24.i386.rpm
______________________________________________________________________________

You can find updates on our ftp-Server:

ftp://ftp.suse.com/pub/suse/i386/update for Intel processors
ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors

or try the following web pages for a list of mirrors:
http://www.suse.de/ftp.html
http://www.suse.com/ftp_new.html

Our webpage for patches:
http://www.suse.de/patches/index.html

Our webpage for security announcements:
http://www.suse.de/security

If you want to report vulnerabilities, please contact
security@suse.de
______________________________________________________________________________

SuSE has got two free security mailing list services to which any
interested party may subscribe:

suse-security@suse.com - moderated and for general/linux/SuSE
security discussions. All SuSE security
announcements are sent to this list.

suse-security-announce@suse.com - SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent
to this list.

To subscribe to the list, send a message to:
<suse-security-subscribe@suse.com>

To remove your address from the list, send a message to:
<suse-security-unsubscribe@suse.com>

Send mail to the following for info and FAQ for this list:
<suse-security-info@suse.com>
<suse-security-faq@suse.com>

_____________________________________________________________________________

This information is provided freely to everyone interested and may
be redistributed provided that it is not altered in any way.

Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>

- ------BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- ------END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBOSLptXey5gA9JdPZAQFAswf+L1yoW+eVDCmBDeBHbVqZMb+/X52dh391
jcQ4XAT5gnkuWpqyy7XhvFUqnh555SqNssdgtoqpGYdCoH9tmG4QOY/aK0oRcMee
ttZfmqD/+SWJdS970sdr75t61/m/iqvVmLemtRnYgXjDOI2e1RgTTHK7eEvDgMlA
F9eB1BPa4YsbtAtsh5HOPRRfgDUjbp5Cfss2mMNRwL1NEX3RkVug8dePM3zvQNVy
S1+hCsMkuvHtzwGegsOh0Ix8DVDDDSMh1ZV7i6ECAaH1/10Vw7Osp0swEP1VkZ6/
nL1tZKA2kDtHpCtPi3Z4oQNbMdDuKAaFD/eLx7UvMdCjjnf8GbUNkA==
=BFxK
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The Linux Kernel Archives Affected

Updated: April 02, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Based on Linux kernel source code from The Linux Kernel Archives:

Linux kernels 2.2.0-pre5 to 2.2.14 enable UDP DLOOSE IP Masquerade behavior by default.
Linux kernels 2.2.15 to 2.2.20 disable UDP DLOOSE IP Masquerade behavior by default.
Linux kernels 2.4 and above do not use UDP DLOOSE IP Masquerade behavior since the netfilter/iptables subsystem tracks UDP sessions individually.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 24 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center acknowledges H. D. Moore for reporting this issue.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2000-0289
Severity Metric:	2.65
Date Public:	2000-03-27
Date First Published:	2002-04-02
Date Last Updated:	2008-05-06 20:47 UTC
Document Revision:	48

Software Engineering Institute

CERT Coordination Center

Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic

Vulnerability Note VU#24140

Overview

Description

Impact

Solution

Vendor Information

Mandriva, Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

SUSE Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

The Linux Kernel Archives Affected

Status

Vendor Statement

Vendor Information

Addendum

Apple Computer, Inc. Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Hewlett-Packard Company Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Sun Microsystems, Inc. Not Affected

Status

Vendor Statement

Vendor Information

Addendum

Berkeley Software Design, Inc. Unknown

Status

Vendor Statement

Vendor Information

Addendum

DEC Unknown

Status

Vendor Statement

Vendor Information

Addendum

Data General Unknown

Status

Vendor Statement

Vendor Information

Addendum

Debian Linux Unknown

Status

Vendor Statement

Vendor Information

Addendum

FreeBSD, Inc. Unknown

Status

Vendor Statement

Vendor Information

Addendum

Fujitsu Unknown

Status

Vendor Statement

Vendor Information

Addendum

IBM Corporation Unknown

Status

Vendor Statement

Vendor Information

Addendum

NEC Corporation Unknown

Status

Vendor Statement

Vendor Information

Addendum

NeXT Unknown