---

Progeny Security Advisory: netfilter ftp connection tracking security flaw

From:    Progeny Security Team <security@progeny.com>
Subject: PROGENY-SA-2001-15: netfilter ftp connection tracking security flaw
Date:    15 May 2001 16:23:14 -0500
 

---------------------------------------------------------------------------
PROGENY SERVICE NETWORK -- SECURITY ADVISORY             PROGENY-SA-2001-15
---------------------------------------------------------------------------

    Synopsis:       netfilter ftp connection tracking security flaw

    Software:       kernel-image-2.4.2

    History:
         2001-04-16 Vulnerability announced
         2001-04-16 Vendor patch/fix available
         2001-05-11 Update available in Progeny archive
         2001-05-15 Advisory released

    Credits:        Cristiano Lincoln Mattos <lincoln@cesar.org.br>

    Affects:        Progeny Debian (kernel-image-2.4.2 prior to 0.05)
    Progeny Only:   NO

    Vendor-Status:  New Version Released (kernel-image-2.4.2_0.05)

$Progeny: security/advisory/PROGENY-SA-2001-15,v 1.2 2001/05/15 21:13:28 jdaily Exp $

---------------------------------------------------------------------------


SUMMARY

The linux 2.4.x firewalling code, netfilter, contains a vulnerability
whereby an attacker can bypass firewall rules.


DETAILED DESCRIPTION

The netfilter code in the released versions of the 2.4.x linux kernel
allows an attacker to exploit the ip_conntrack_ftp (stateful inspection
of ftp traffic) module to insert rules into the RELATED ruleset.

The ip_conntrack_ftp module does not validate parameters passed to it in
an ftp PORT command when automatically adding a rule to the RELATED
ruleset. As such, an attacker that can establish an ftp connection
through the firewall is able to bypass the firewall's rules and connect
to arbitrary hosts and ports.

More details and an exploit can be found at
http://www.tempest.com.br/advisories/01-2001.html


IMPACT

Progeny Debian 1.0 does not install a 2.4 kernel by default. The 2.4.2
kernel that ships with Progeny Debian 1.0 does have a vulnerable
ip_conntrack_ftp module, but does not automatically enable any firewall
rules.

On firewall systems that run 2.4.x kernels and have enabled rules that
utilize the ip_conntrack_ftp module, an attacker could insert rules to
the RELATED ruleset and gain access to machines behind a firewall that
they normally would not be able to access.


SOLUTION (See also: UPDATING VIA APT-GET)

Upgrade to a version of the 2.4.x linux kernel with the security fix
applied. For your convenience, you may upgrade to the
kernel-image-2.4.2_0.05 package.


UPDATING VIA APT-GET

1. Ensure that your /etc/apt/sources.list file has a URI for Progeny's
    update repository:

        deb http://archive.progeny.com/progeny updates/newton/

2. Update your cache of available packages for apt(8).

    Example:

        # apt-get update

3. Using apt(8), install the new package. apt(8) will download the
    update, verify its integrity with md5, and then install the
    package on your system with dpkg(8).

    Example:

        # apt-get install kernel-image-2.4.2


UPDATING VIA DPKG

1. Use your preferred FTP/HTTP client to retrieve the following 
    updated files from Progeny's update archive at:

    http://archive.progeny.com/progeny/updates/newton/

    MD5 Checksum                     Filename                             
    -------------------------------- ------------------------------------- 
    0c3ad9bc6dbfa8c099549bdf596ad295 kernel-image-2.4.2_0.05_i386.deb

    Example:

        $ wget 
        http://archive.progeny.com/progeny/updates/newton/kernel-image-2.4.2_0.05_i386.deb

2. Use the md5sum(1) command on the retrieved files to verify that
    they match the MD5 checksum provided in this advisory:

    Example:

        $ md5sum kernel-image-2.4.2_0.05_i386.deb

3. Then install the replacement package(s) using dpkg(8).

    Example:

        # dpkg --install kernel-image-2.4.2_0.05_i386.deb


WORKAROUND

As an alternative to the above solution, disable stateful inspection
of ftp traffic by removing the lines that load the ip_conntrack_ftp
module from your firewall's rule scripts.  Passive ftp should not be
impacted, but other ftp connections will no longer work.


MORE INFORMATION

Some Cisco equipment has been reported to depend on the behavior that
this advisory details as a security vulnerability. The solution
mentioned above may cause problems if you are depending on netfilter to
allow for this behavior. 

Progeny advisories can be found at http://www.progeny.com/security/.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis