[FoLUG][Fwd: [RHSA-2002:086-05] Netfilter information leak]

G.Camozzi folug@lists.linux.it
Thu, 09 May 2002 16:44:19 +0200 

Faccio un cross post per un bug di iptables...
...okkio o qlc1 potrebbe capire come e' mappata la vostra network se
usate iptables...

Mi auguro di essere stato utile 

ByeZ!

bugzilla@redhat.com wrote:
> 
> ---------------------------------------------------------------------
>                    Red Hat, Inc. Red Hat Security Advisory
> 
> Synopsis:          Netfilter information leak
> Advisory ID:       RHSA-2002:086-05
> Issue date:        2002-05-08
> Updated on:        2002-05-09
> Product:           Red Hat Linux
> Keywords:          netfilter iptables icmp nat
> Cross references:
> Obsoletes:
> ---------------------------------------------------------------------
> 
> 1. Topic:
> 
> Netfilter ("iptables") can leak information about how port forwarding
> is done in unfiltered ICMP packets.  The older "ipchains" code is not
> affected.
> 
> This bug only affects users using the Network Address Translation
> features of firewalls built with netfilter ("iptables").  Red Hat
> Linux's firewall configuration tools use "ipchains," and those
> configurations are not vulnerable to this bug.
> 
> 2. Relevant releases/architectures:
> 
> 3. Problem description:
> 
> Systems using the netfilter ("iptables") Network Address Translation
> (NAT) capabilities are subject to the following bug:  When a NAT rule
> applies to the first packet of a connection and that packet later
> causes the system to generate an ICMP error message, the ICMP
> error message is sent out with translated addresses included. This
> address information incorrectly gives the IP address to which the
> connection would have been forwarded if the ICMP error message was
> not generated, which exposes information about the netfilter
> configuration (which ports are being translated) and about the
> network topology (which address the ports are being forwarded to).
> Also, the incorrect ICMP packets may be dropped by other intervening
> stateful firewalls as malformed packets.
> 
> ICMP error packets generated by the host being routed to are not
> affected by this bug.
> 
> The firewall configuration generated by Red Hat Linux's firewall
> configuration tools uses ipchains, not iptables; thus, default
> configurations of Red Hat Linux are not affected by this bug.
> 
> 4. Solution:
> 
> Unfortunately, this problem currently has no clean fix, but while
> a clean fix is being worked on, there is a sufficient workaround:
> 
> Filter out untracked local icmp packets using the following command:
> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
> 
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
> 
> 6. RPMs required:
> 
> 7. Verification:
> 
> MD5 sum                          Package Name
> --------------------------------------------------------------------------
> 
> 
> These packages are GPG signed by Red Hat, Inc. for security.  Our key
> is available at:
>     http://www.redhat.com/about/contact/pgpkey.html
> 
> You can verify each package with the following command:
>     rpm --checksig  <filename>
> 
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
>     rpm --checksig --nogpg <filename>
> 
> 8. References:
> 
> CARTSA-20020402 (http://www.cartel-securite.fr/)
> Thanks to Philippe Biondi <biondi@cartel-securite.fr>
> 
> Copyright(c) 2000, 2001, 2002 Red Hat, Inc.