Linux Kernel Netfilter/IPTables Experimental Queueing Bug May Disclose Network Traffic to Local Users
SecurityTracker Alert ID: 1005746|
SecurityTracker URL: http://securitytracker.com/id/1005746
(Links to External Site)
Date: Dec 3 2002
Disclosure of system information|
Fix Available: Yes Vendor Confirmed: Yes |
An access control vulnerability was reported in the Linux kernel Netfilter/IPTables firewall functions. A local user may be able to read arbitrary network traffic in certain circumstances.|
According to the report, a userspace process without NET_ADMIN privileges can re-use the process id (PID) of a previous privileged process and possibly receive a limited amount of network traffic.
This would reportedly only occur if no network traffic had been queued after the privileged process exited and the unprivileged process was established. Also, the kernel module will only transmit a limited number of packets to the userspace process without acknowledgment, limited to the queue length (the default is 1024 packets).
If a system has Netfilter (or iptables) enabled and the ip_queue or ip6_queue experimental IP queuing modules are being used, the system may be vulnerable.
A local user may be able to read network packets under certain circumstances.|
The vendor has issued a fix and recommends that you upgrade to the Linux kernel 2.4.20 (stable) or 2.5.32 (development).|
Vendor URL: www.netfilter.org/security/ (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any)|
Source Message Contents
Subject: Local Netfilter / IPTables IP Queue PID Wrap Flaw|
-----BEGIN PGP SIGNED MESSAGE-----
Netfilter Core Team Security Advisory
Local Netfilter / IPTables IP Queue PID Wrap Flaw
December 3, 2002.
Under limited circumstances, an unprivileged local user may be able
to read a limited amount of arbitrary IPv4 or IPv6 traffic.
Linux 2.4 kernels up to and including 2.4.19, and Linux 2.5 kernels
up to and including 2.5.31, where Netfilter / IPTables is enabled,
and where either of the experimental IP queuing modules (ip_queue,
ip6_queue) are in use.
Upgrade to Linux kernels 2.4.20 (stable), and 2.5.32 (development).
Under Linux 2.4 and 2.5, an experimental IP packet queuing feature is
available as part of Netfilter / IPTables. This consists of kernel
modules and a userspace library which allow userspace mediation and
modification of IPv4 and IPv6 packets.
A userspace mediation process must normally be privileged (requiring
NET_ADMIN capability) to process packets from the kernel. To commence
mediating packets, a userspace process typically sends a Netlink message
to the associated kernel module, specifying queuing parameters. The
kernel module captures the Unix process ID (PID) of the process to ensure
reliable queuing and delivery of packets.
If the privileged mediation process exits, an unprivileged process
re-using the same PID may be able to receive a limited amount of
This would only occur if no network traffic was queued between the exit
of the privileged process and the establishment of the unprivileged
process, as the kernel module will reset the queuing session upon
transmission error to userspace.
The kernel module will only transmit a limited number of packets to
the userspace process without acknowledgment. As all transmissions
from userspace to the kernel module require NET_ADMIN capability,
the unprivileged process will not be able to acknowledge packets.
Thus, the maximum number of packets that the unprivileged process
can read is limited to the queue length (default 1024 packets).
The unprivileged process can also only read packets which have been
selected for queuing via IPTables by a privileged process.
This flaw is theorized to be difficult and somewhat invasive to exploit,
probably requiring a combined use of DoS attacks. It was discovered by
the author of the code, and no exploits are known to exist.
Fixing the flaw involved implementing a reliable mechanism for detecting
when the Netlink control socket of a privileged mediation process is
closed, and resetting the kernel queuing session state upon such events.
The fix was implemented by the Netfilter Core Team, with contributions
from Jamal Hadi Salim and Alexey Kuznetsov.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----