Linux kernel netfilter IRC DCC helper module creates overly permissive firewall rules

Overview

The “netfilter” firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.

Description

The “netfilter” subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.

In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:

With IRC DCC, we can only tell the destination IP and port, thus we need an expectation "expect related connection from any ip / any port to this particular port number X at this particular IP address Y".

Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".

The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.

---

Impact

This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.

---

Solution

Apply a patch from your vendor

To address this vulnerability, the CERT/CC recommends that all users of Linux kernel versions 2.4.x upgrade to the latest kernel version available for their distribution. For vendor-specific information regarding patches and affected versions, please consult the vendor section of this document.

---

Disable the IRC DCC helper module

If it is not possible or practical to immediately patch an affected device, disabling the IRC DCC helper module will prevent exploitation of this vulnerability.

---

Vendor Information

230307

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

MandrakeSoft __ Affected

Notified: April 15, 2002 Updated: July 05, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

MandrakeSoft has published Security Advisory MDKSA-2002:041 to address this vulnerability. For more information, please see

http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-041.php

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Netfilter.org __ Affected

Notified: February 27, 2002 Updated: April 24, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The maintainers of the netfilter kernel subsystem have published a security announcement at:

http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Red Hat Inc. __ Affected

Notified: February 28, 2002 Updated: April 24, 2002

Status

Affected

Vendor Statement

The Netfilter IRC DCC module is distributed with kernels in Red Hat Linux 7.1 and 7.2, although it is not used in default installations. Updated kernel packages with a fix for this issue are available from the Red Hat Network or linked from our advisory:

http://www.redhat.com/support/errata/RHSA-2002-028.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Conectiva __ Not Affected

Updated: April 24, 2002

Status

Not Affected

Vendor Statement

Conectiva Linux is not vulnerable to this problem. We only started including a 2.4 kernel in the CL 7.0 version, and the latest kernel version for that distribution is 2.4.12 which does not include the vulnerable code.

The upcoming Conectiva Linux 8 uses the 2.4.18 kernel which is also not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Hewlett Packard __ Not Affected

Notified: March 04, 2002 Updated: April 15, 2002

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hewlett Packard has published the following HP Security Bulletin to address this issue:

HPSBTL0203-027 Updated 2.4 kernel available
For further information, please visit and search for the appropriate reference number. Please note that registration may be required to access this document.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Caldera Unknown

Notified: April 15, 2002 Updated: April 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Debian Unknown

Notified: April 15, 2002 Updated: April 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Engarde Unknown

Notified: April 15, 2002 Updated: April 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

Sequent Unknown

Notified: April 15, 2002 Updated: April 15, 2002

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).

CVSS Metrics

Group	Score	Vector
Base	0	AV:–/AC:–/Au:–/C:–/I:–/A:–
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html&gt;
• <http://www.netfilter.org/documentation/index.html#whatis&gt;
• <http://www.redhat.com/support/errata/RHSA-2002-028.html&gt;
• <http://www.securityfocus.com/bid/4188&gt;

Acknowledgements

The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs:	CVE-2002-0060
Severity Metric:	5.74 Date Public: