search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic

Vulnerability Note VU#24140

Original Release Date: 2002-04-02 | Last Revised: 2008-05-06

Overview

The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network.

Description

As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a local networks' IP addresses in to globally unique addresses. NAT operates on the assumption that not all of the hosts on a local network need to communicate beyond the local network at the same time. Traditional NAT and Port Address Translation (NAPT or PAT) can map many local addresses to fewer global addresses (possibly just one address), thus reducing the overall need for unique global IPv4 addresses, improving portability, and providing some modest security through the use of RFC 1918 private address space that is not globally routed.

IP Masquerade is a kernel implementation of NAT on Linux. Based on code obtained from The Linux Kernel Archives, IP Masquerade is configured by default to handle UDP translations using "destination loose" (DLOOSE) behavior in kernel versions 2.2.0-pre5 through 2.2.14. This is indicated in ip_masq.c by the presence of the preprocessor directive

#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
Starting with kernel 2.2.15, the DLOOSE behavior is disabled by default and can be enabled with the following command:
echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose
In Linux kernels 2.4 and above, the firewall and NAT features changed significantly, and DLOOSE behavior is no longer needed since the netfilter/iptables subsystem keeps track of each UDP session.

DLOOSE behavior poses a security risk because it matches inbound UDP packets based solely on destination IP address and port number. The source IP address and source port of an inbound UDP packet are not taken into consideration. Furthermore, if an inbound UDP packet is matched to a current session, IP Masquerade overwrites the destination IP address and port of the existing session with the source IP address and port of the matching inbound packet. While this modification of the session information does not affect new outbound UDP packets that create new sessions, it may cause outbound UDP packets using the pre-existing session information to be blocked for not matching the new destination IP address and port.

Also by default, IP Masquerade uses a relatively small range of port numbers (61000 to 65095) to track UDP sessions, which minimizes the space an attacker needs to search to find an open session.

RFC 2663 describes this vulnerability:
UDP sessions are inherently unsafe. Responses to a datagram could come from an address different from the target address used by sender ([Ref 4]). As a result, an incoming UDP packet might match the outbound session of a traditional NAT router only in part (the destination address and UDP port number of the packet match, but the source address and port number may not). In such a case, there is a potential security compromise for the NAT device in permitting inbound packets with partial match. This UDP security issue is also inherent to firewalls.
Note that individual Linux distributions may use 2.2 kernels with different DLOOSE settings.

Impact

An attacker could send arbitrary UDP packets to a network behind a vulnerable NAT gateway.

Solution

The following information is based on Linux kernel code from The Linux Kernel Archives. Individual distributions may have different default configurations.
For Linux kernels 2.2.0-pre5 to 2.2.14, comment out or remove the following line in ip_masq.c and recompile the kernel:

#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
For Linux kernels 2.2.15 and above, DLOOSE behavior is disabled by default. To confirm that DLOOSE behavior is disabled, check the existence and contents of the following file:

/proc/sys/net/ipv4/ip_masq_udp_dloose
If this file exists and contains a '1' or a '2', then the system is configured for DLOOSE behavior. If this file does not exist or contains anything other than the values '1' or '2', then the system is configured not to use DLOOSE behavior.

Upgrade to Linux kernel version 2.4 or above that incorporates netfilter/iptables.

Vendor Information

24140
 

Mandriva, Inc. Affected

Updated:  April 03, 2002

Status

Affected

Vendor Statement

Conectiva released Conectiva Linux Security Announcement CLSA-2000:72 (Portuguese) on 2000-06-08.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux Affected

Updated:  April 02, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package: kernel < 2.2.15
        Date:    Wed, 17 May 2000 18:24:50 GMT

        Affected SuSE versions: 6.1 - 6.4
        Vulnerability Type:     bypass ipchains filter rules
                                denial of service
        SuSE default package:   yes
        Other affected systems: all linux versions using kernel 2.2.x and
                                several stateful firewall packages
______________________________________________________________________________

A security hole was discovered in the package mentioned above.
Please update as soon as possible or disable the service if you are using
this software on your SuSE Linux installation(s).

Other Linux distributions or operating systems might be affected as
well, please contact your vendor for information about this issue.

Please note that we provide this information on an "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
_____________________________________________________________________________

1. Problem Description

  The masquerading feature in the Linux kernel has got a vulnerability in
  the udp and ftp masquerading code which allows arbitary backward
  connections to be opened.
  Some denial of service were found.

2. Impact

  Remote users may bypass ipchains filter rules protecting the internal
  network.
  Users can crash the machine.

3. Solution

  Update the package from our FTP server.
  Please note that we provide a patched 2.2.14 kernel to ensure stability
  and not the 2.2.15 kernel.
______________________________________________________________________________

Please verify these md5 checksums of the updates before installing:
(NOTE: the 6.4 updates fit 6.1 to 6.3 as well)

765e268875a7716f681c14389a1c9b9b  ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel/k_deflt.rpm
be6ee213f0cafd4dac5c51a2a8d100f0  ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel/k_eide.rpm
b900eb9f47c94df5cc15721e5f96a58e  ftp://ftp.suse.com/pub/suse/i386/update/6.4/kernel/k_i386.rpm
37deca6ee856c3242a13c2a24f32fc7f  ftp://ftp.suse.com/pub/suse/i386/update/6.4/d1/lx_suse-2.2.14.SuSE-24.i386.rpm
______________________________________________________________________________

You can find updates on our ftp-Server:

  ftp://ftp.suse.com/pub/suse/i386/update for Intel processors
  ftp://ftp.suse.com/pub/suse/axp/update  for Alpha processors

or try the following web pages for a list of mirrors:
  http://www.suse.de/ftp.html
  http://www.suse.com/ftp_new.html

Our webpage for patches:
  http://www.suse.de/patches/index.html

Our webpage for security announcements:
  http://www.suse.de/security

If you want to report vulnerabilities, please contact
  security@suse.de
______________________________________________________________________________

SuSE has got two free security mailing list services to which any
interested party may subscribe:

suse-security@suse.com          - moderated and for general/linux/SuSE
                                  security discussions. All SuSE security
                                  announcements are sent to this list.

suse-security-announce@suse.com - SuSE's announce-only mailing list.
                                  Only SuSE's security annoucements are sent
                                  to this list.

To subscribe to the list, send a message to:
     <suse-security-subscribe@suse.com>

To remove your address from the list, send a message to:
     <suse-security-unsubscribe@suse.com>

Send mail to the following for info and FAQ for this list:
     <suse-security-info@suse.com>
     <suse-security-faq@suse.com>

_____________________________________________________________________________

  This information is provided freely to everyone interested and may
  be redistributed provided that it is not altered in any way.

Type Bits/KeyID    Date       User ID
pub  2048/3D25D3D9 1999/03/06 SuSE Security Team <security@suse.de>

- ------BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- ------END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBOSLptXey5gA9JdPZAQFAswf+L1yoW+eVDCmBDeBHbVqZMb+/X52dh391
jcQ4XAT5gnkuWpqyy7XhvFUqnh555SqNssdgtoqpGYdCoH9tmG4QOY/aK0oRcMee
ttZfmqD/+SWJdS970sdr75t61/m/iqvVmLemtRnYgXjDOI2e1RgTTHK7eEvDgMlA
F9eB1BPa4YsbtAtsh5HOPRRfgDUjbp5Cfss2mMNRwL1NEX3RkVug8dePM3zvQNVy
S1+hCsMkuvHtzwGegsOh0Ix8DVDDDSMh1ZV7i6ECAaH1/10Vw7Osp0swEP1VkZ6/
nL1tZKA2kDtHpCtPi3Z4oQNbMdDuKAaFD/eLx7UvMdCjjnf8GbUNkA==
=BFxK
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The Linux Kernel Archives Affected

Updated:  April 02, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Based on Linux kernel source code from The Linux Kernel Archives:

  • Linux kernels 2.2.0-pre5 to 2.2.14 enable UDP DLOOSE IP Masquerade behavior by default.
  • Linux kernels 2.2.15 to 2.2.20 disable UDP DLOOSE IP Masquerade behavior by default.
  • Linux kernels 2.4 and above do not use UDP DLOOSE IP Masquerade behavior since the netfilter/iptables subsystem tracks UDP sessions individually.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc. Not Affected

Notified:  April 23, 2001 Updated: July 12, 2001

Status

Not Affected

Vendor Statement

Apple Mac OS X does not use IP Masquerading and is not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Not Affected

Notified:  April 23, 2001 Updated: April 03, 2002

Status

Not Affected

Vendor Statement

We now have confirmed our original response that HP's IPFilter/9000 is NOT vulnerable to this security hole. HP's IPFilter/9000 is not in the core OS. So filtering and nat functionality is not part of the TCP/IP streams stack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hewlett Packard has reported that HP Secure OS Software for Linux (Trusted Linux) is not vulnerable since it is based on the 2.4 kernel.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems, Inc. Not Affected

Notified:  April 23, 2001 Updated: July 12, 2001

Status

Not Affected

Vendor Statement

Solaris does not have this functionality and isn't vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Berkeley Software Design, Inc. Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

DEC Unknown

Notified:  April 23, 2001 Updated: July 12, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Linux Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD, Inc. Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Unknown

Notified:  April 23, 2001 Updated: July 12, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Computer Systems, Inc. Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens Nixdorf Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Linux) Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group (SCO Unix) Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys Unknown

Notified:  April 23, 2001 Updated: July 16, 2001

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 24 vendors View less vendors


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT Coordination Center acknowledges H. D. Moore for reporting this issue.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2000-0289
Severity Metric: 2.65
Date Public: 2000-03-27
Date First Published: 2002-04-02
Date Last Updated: 2008-05-06 20:47 UTC
Document Revision: 48

Sponsored by CISA.