From: Kurt Seifried <seifried@SECURITYPORTAL.COM> To: LINUX-SECURITY@LISTSERV.SECURITYPORTAL.COM Subject: LSLID:2001051504 - Progeny - Kernel (netfilter) - PROGENY-SA-2001-15 Date: Tue, 15 May 2001 15:28:48 -0600 LSLID:2001051504 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 --------------------------------------------------------------------------- PROGENY SERVICE NETWORK -- SECURITY ADVISORY PROGENY-SA-2001-15 --------------------------------------------------------------------------- Synopsis: netfilter ftp connection tracking security flaw Software: kernel-image-2.4.2 History: 2001-04-16 Vulnerability announced 2001-04-16 Vendor patch/fix available 2001-05-11 Update available in Progeny archive 2001-05-15 Advisory released Credits: Cristiano Lincoln Mattos <lincoln@cesar.org.br> Affects: Progeny Debian (kernel-image-2.4.2 prior to 0.05) Progeny Only: NO Vendor-Status: New Version Released (kernel-image-2.4.2_0.05) $Progeny: security/advisory/PROGENY-SA-2001-15,v 1.2 2001/05/15 21:13:28 jdaily Exp $ --------------------------------------------------------------------------- SUMMARY The linux 2.4.x firewalling code, netfilter, contains a vulnerability whereby an attacker can bypass firewall rules. DETAILED DESCRIPTION The netfilter code in the released versions of the 2.4.x linux kernel allows an attacker to exploit the ip_conntrack_ftp (stateful inspection of ftp traffic) module to insert rules into the RELATED ruleset. The ip_conntrack_ftp module does not validate parameters passed to it in an ftp PORT command when automatically adding a rule to the RELATED ruleset. As such, an attacker that can establish an ftp connection through the firewall is able to bypass the firewall's rules and connect to arbitrary hosts and ports. More details and an exploit can be found at http://www.tempest.com.br/advisories/01-2001.html IMPACT Progeny Debian 1.0 does not install a 2.4 kernel by default. The 2.4.2 kernel that ships with Progeny Debian 1.0 does have a vulnerable ip_conntrack_ftp module, but does not automatically enable any firewall rules. On firewall systems that run 2.4.x kernels and have enabled rules that utilize the ip_conntrack_ftp module, an attacker could insert rules to the RELATED ruleset and gain access to machines behind a firewall that they normally would not be able to access. SOLUTION (See also: UPDATING VIA APT-GET) Upgrade to a version of the 2.4.x linux kernel with the security fix applied. For your convenience, you may upgrade to the kernel-image-2.4.2_0.05 package. UPDATING VIA APT-GET 1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's update repository: deb http://archive.progeny.com/progeny updates/newton/ 2. Update your cache of available packages for apt(8). Example: # apt-get update 3. Using apt(8), install the new package. apt(8) will download the update, verify its integrity with md5, and then install the package on your system with dpkg(8). Example: # apt-get install kernel-image-2.4.2 UPDATING VIA DPKG 1. Use your preferred FTP/HTTP client to retrieve the following updated files from Progeny's update archive at: http://archive.progeny.com/progeny/updates/newton/ MD5 Checksum Filename -------------------------------- ------------------------------------- 0c3ad9bc6dbfa8c099549bdf596ad295 kernel-image-2.4.2_0.05_i386.deb Example: $ wget \ http://archive.progeny.com/progeny/updates/newton/kernel-image-2.4.2_0.05_i386 .deb 2. Use the md5sum(1) command on the retrieved files to verify that they match the MD5 checksum provided in this advisory: Example: $ md5sum kernel-image-2.4.2_0.05_i386.deb 3. Then install the replacement package(s) using dpkg(8). Example: # dpkg --install kernel-image-2.4.2_0.05_i386.deb WORKAROUND As an alternative to the above solution, disable stateful inspection of ftp traffic by removing the lines that load the ip_conntrack_ftp module from your firewall's rule scripts. Passive ftp should not be impacted, but other ftp connections will no longer work. MORE INFORMATION Some Cisco equipment has been reported to depend on the behavior that this advisory details as a security vulnerability. The solution mentioned above may cause problems if you are depending on netfilter to allow for this behavior. Progeny advisories can be found at http://www.progeny.com/security/. --------------------------------------------------------------------------- pub 1024D/F92D4D1F 2001-04-04 Progeny Security Team <security@progeny.com> - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDrKpVkRBACS4/hjUliUt9UGTHMUGSZpQlKfBk9OFHmyLHTdjyIBCWRMmOBn RRhag0FgPicVIDndoQvYw3+ESC/RtbuPCBf6DZ7S0+NHhm1SHEbZyHFLkRXJm+IS 29oFmKrfXnXHckCrJFDZbOznRF6dVe7hV8CYi3FtoTjlRbuiHPQCMuy4ewCghAfv eYxfB25AoTdBT7WiG8jd4w8D/iFweuqzTwcWtXEgDbDd21W9hNPLEELgguimCCdP l3GHqw/MUJpIvdYfYhCzTaf4VpvkM5xlJGAcelCUL9qAufwyU8U8JI2YzlbqSlO8 qRwaiwq9qisTKEBb3IQadFqug+ihVdUeP8cuXPvbUEbFt7ILWyUD/kntgFdf1Apo zZWlA/0SM45hV6yomcM7z08tyh4hZTrWX/RUJqe+U1niNAmzPg4P+r8SfXdIkjb2 fZT5h5cYLIiK+kUEkqyPmZwUlgMCCn4IYVd2pcKXKXWE8ympuf3E5wGYeiVpLBM/ th7qdEF87sViV8McfiRuXEonYrs1nSQZX+f4OxvTQqaP46u10rQsUHJvZ2VueSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBwcm9nZW55LmNvbT6IVwQTEQIAFwUCOsql WQULBwoDBAMVAwIDFgIBAheAAAoJEEnBfSP5LU0f/sUAnjDpQs5SnFotNJ7GeIWx Ftf7AvBBAJ0cygWS0XRXxJJq2PKbCbdln+i4d7kEDQQ6yqcjEBAA465SSuC/yvN7 WeZAN9XperqZtxLCVe8hLfrLZ+9/Xn2ysuEEe90rYe1X0HbsB/mInHF3VmT+XvHB VdDQ7o0VMw7aeDgprt3jDQgT8gIesSOhZvulDujmLhykE+FT/V4lKpqO8prv7Ujs AfuC7g/X2dcV1+imNOeivLaCM0+HrwUhdvifWFDwE97wBkrda/vhu9zs3NwMeBVN UYfkRLPm+DGUSQVrteNiYJchhqfJB0mjrd+3FgnpCVgdU4c42epZ2ez/WTgTchoT duMCd1sM9gzvQIih56KzxlGL82PVS2m0PNxSQ8iZpheMMGWregjpjpMRcrRbSXy+ WmPBacOiE/MyxXand+lGzig/9Srm6msUT5jE/lDcfySznJWH8B/fqD7KM5Z0ZM+b 3xV0PzGyMld+m3BfGolqsd5bpo8HaWCWsZVYfgdXjoDPYptsoPdLesN6WIAHA1kU n2kckccz4xOoI/8MqKhkzZe0q5a9sv6RLBWDeVLxJnDuXZgcwCc4OvpcR4HnOE7c U5VsyjYwTkzGWWuQxb8uxng3akHTK2PqeZAnC0tvtuwI7QFhOq/dzz+zHzVH2+Qh 55Aq6DjA9yEs3P7g31wb3duGdWtuIXn+N85GiJdZ1EmJESQCuOYOSHsV4bGxKcpg PIpoSr5QBAUtUOTwN+xC8nNjZtC5OzsAAwYP/1OD/eiEraGpy7Z9scgXBjjb1kly tgq06zGlSMWPEQoN3F87YeMiOsXSeDxJG+cnhvlys1Qoytp9/drsDLANi+Q61A/b aka2IJLudiDu4iUDFb1rgRUERBciA31karPf2IwNjdU8lbulHfxQcjtjj7rbSWOG gxzlPcLp2F5ee3h0qs+XW4UpD6K9f/u9gGT4nMr3owG06uNomlBAsGCVpk9XlRxG x96161vrbmTPUx/o6NhqHNuf5Zh8ZmxQ3PYydywiE9njOtS04TTad24qbdPlVQh2 kjkTdsMCFRGaAB8EYImMT3F0ofon1Q/XWZrRlhkZpzuAKLhdSOW5G+tygNy2IqsH wCYa/rDitYZeNN4EUb5At4HnSBCy86GFQgj+sDFO6yp+h7NLIMeTm0csaSbKEt6o cbn0iMaRbLdHmAm0UHATPho+M2brf3mTztvAPONta2FC9TP1L1ojTDd4mtO9IcdM hjOVqNbuyLXkWgPcSmwhhjB61p3/1M1Y/zfXxLOsi/XJlstYzzKzHa68F1e9dTEz kgeYo1hG5TqMKv1sXfPJHw4N/QVcLoUlpUJZ/kI2OQD5mAhCCZ9PbT2fT4gLhy7U sn0blh/R/0HFSFDwHgmx8mNfw7w0qFbba9/FEE8D5qhyyCx5KTk0OkvRL9OpzO7E jzjdcfb6B2XpgSC8iEYEGBECAAYFAjrKpyMACgkQScF9I/ktTR90vgCggiX108DO S3rhSkmfFuHey8w4RlIAn3nD+uCe+sjCFqVwb+LY2jO3ybjB =6dRm - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjsBnGQACgkQScF9I/ktTR8jGQCfdiym4ndMCjFUcqdofadoDhEA 8oQAni9U2TONge8ZEH8NAAay6XVC3Lyv =I9aU -----END PGP SIGNATURE-----