7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.013 Low
EPSS
Percentile
86.0%
The “netfilter” firewall subsystem included with Linux kernel versions 2.4.x contains a vulnerability that may allow remote attackers to reach hosts that should be protected.
The “netfilter” subsystem included with Linux kernel versions 2.4.x provides a framework for services such as packet filtering and network address translation (NAT). This subsystem includes a Direct Client Connections (DCC) module for Internet Relay Chat (IRC) that allows netfilter to track outgoing DCC connections. When a DCC connection is initiated by a host inside the firewall, the IRC DCC helper module creates a dynamic firewall rule that allows responses from the remote end of the DCC connection to be passed back to the initiating host.
In versions 2.4.14 to 2.4.18-pre8 of the Linux kernel, netfilter contains an implementation error that causes the IRC DCC module to create firewall rules that are more permissive than necessary. Quoting from the Netfilter Security Announcement:
With IRC DCC, we can only tell the destination IP and port, thus we need an expectation "expect related connection from any ip / any port to this particular port number X at this particular IP address Y".
Due to the implementation bug, however, the mask was to wide. The conntrack helper really says "expect related connection from any ip / any port to this particular port X at ANY IP".
The netfilter subsystem is a standard part of the Linux kernel, so this vulnerability may be present in any Linux distribution that is based on the 2.4.x kernel.
This vulnerability may allow remote attackers to reach hosts that should be protected by the firewall.
Apply a patch from your vendor
To address this vulnerability, the CERT/CC recommends that all users of Linux kernel versions 2.4.x upgrade to the latest kernel version available for their distribution. For vendor-specific information regarding patches and affected versions, please consult the vendor section of this document.
Disable the IRC DCC helper module
If it is not possible or practical to immediately patch an affected device, disabling the IRC DCC helper module will prevent exploitation of this vulnerability.
230307
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: April 15, 2002 Updated: July 05, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
MandrakeSoft has published Security Advisory MDKSA-2002:041 to address this vulnerability. For more information, please see
http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-041.php
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: February 27, 2002 Updated: April 24, 2002
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The maintainers of the netfilter kernel subsystem have published a security announcement at:
http://www.netfilter.org/security/2002-02-25-irc-dcc-mask.html
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: February 28, 2002 Updated: April 24, 2002
Affected
The Netfilter IRC DCC module is distributed with kernels in Red Hat Linux 7.1 and 7.2, although it is not used in default installations. Updated kernel packages with a fix for this issue are available from the Red Hat Network or linked from our advisory:
http://www.redhat.com/support/errata/RHSA-2002-028.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Updated: April 24, 2002
Not Affected
Conectiva Linux is not vulnerable to this problem. We only started including a 2.4 kernel in the CL 7.0 version, and the latest kernel version for that distribution is 2.4.12 which does not include the vulnerable code.
The upcoming Conectiva Linux 8 uses the 2.4.18 kernel which is also not vulnerable.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: March 04, 2002 Updated: April 15, 2002
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Hewlett Packard has published the following HP Security Bulletin to address this issue:
HPSBTL0203-027 Updated 2.4 kernel available
For further information, please visit and search for the appropriate reference number. Please note that registration may be required to access this document.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: April 15, 2002 Updated: April 15, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: April 15, 2002 Updated: April 15, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: April 15, 2002 Updated: April 15, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Notified: April 15, 2002 Updated: April 15, 2002
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23230307 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 0 | AV:–/AC:–/Au:–/C:–/I:–/A:– |
Temporal | 0 | E:ND/RL:ND/RC:ND |
Environmental | 0 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
The CERT/CC thanks Jozsef Kadlecsik and Harald Welte of the Netfilter team for discovering and addressing this vulnerability.
This document was written by Jeffrey P. Lanza.
CVE IDs: | CVE-2002-0060 |
---|---|
Severity Metric: | 5.74 Date Public: |