The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of iptables

vulnerability CVE-2019-11360

iptables: buffer overflow via iptables-restore

Synthesis of the vulnerability

An attacker can trigger a buffer overflow via iptables-restore of iptables, in order to trigger a denial of service, and possibly to run code.
Impacted products: netfilter.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 15/07/2019.
Identifiers: CVE-2019-11360, VIGILANCE-VUL-29770.

Description of the vulnerability

An attacker can trigger a buffer overflow via iptables-restore of iptables, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2016-3134 CVE-2016-3135

Linux kernel: memory corruption via IPT_SO_SET_REPLACE

Synthesis of the vulnerability

A local attacker with CONFIG_USER_NS can generate a memory corruption via the IPT_SO_SET_REPLACE option of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, Android OS, Linux, netfilter, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/03/2016.
Identifiers: CERTFR-2016-AVI-099, CERTFR-2016-AVI-267, CERTFR-2016-AVI-278, CVE-2016-3134, CVE-2016-3135, DLA-516-1, DSA-3607-1, FEDORA-2016-02ed08bf15, FEDORA-2016-3a57b19360, openSUSE-SU-2016:1641-1, openSUSE-SU-2016:2144-1, openSUSE-SU-2016:2290-1, openSUSE-SU-2016:2649-1, RHSA-2016:1847-01, RHSA-2016:1875-01, RHSA-2016:1883-01, SUSE-SU-2016:1672-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1696-1, SUSE-SU-2016:1764-1, SUSE-SU-2016:1985-1, SUSE-SU-2016:2074-1, SUSE-SU-2016:2245-1, USN-2929-1, USN-2929-2, USN-2930-1, USN-2930-2, USN-2930-3, USN-2931-1, USN-2932-1, USN-3049-1, USN-3050-1, USN-3051-1, USN-3052-1, USN-3053-1, USN-3054-1, USN-3055-1, USN-3056-1, USN-3057-1, VIGILANCE-VUL-19150.

Description of the vulnerability

The Linux kernel implements the IPT_SO_SET_REPLACE option of setsockopt() which alters a rule of netfilter iptables. The usage of this option requires no privileges when CONFIG_USER_NS=y.

However, an attacker can create an ipt_entry structure with a next_offset field too large, which leads to a memory corruption.

A local attacker with CONFIG_USER_NS can therefore generate a memory corruption via the IPT_SO_SET_REPLACE option of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-6496

Linux kernel: denial of service via Conntrack DCCP SCTP ICMPv6

Synthesis of the vulnerability

An attacker can send DCCP, SCTP or ICMPv6 packets to the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Fedora, Linux, netfilter, openSUSE.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 18/08/2015.
Identifiers: 910, CVE-2015-6496, DSA-3341-1, FEDORA-2015-1aee5e6f0b, FEDORA-2015-5eb2131441, openSUSE-SU-2015:1688-1, VIGILANCE-VUL-17691.

Description of the vulnerability

The Linux kernel uses the Netfilter firewall, which implements connection tracking in Conntrack.

The DCCP, SCTP and ICMPv6 modules are optional. However, when a packet is received, and when these modules are not loaded, a fatal error occurs.

An attacker can therefore send DCCP, SCTP or ICMPv6 packets to the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-9715

Linux kernel: denial of service via Netfilter Conntrack Ext

Synthesis of the vulnerability

An attacker can send some packets requiring a complex analysis by Netfilter Conntrack, in order to trigger a denial of service of the Linux kernel.
Impacted products: Debian, Linux, netfilter, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 08/04/2015.
Identifiers: CERTFR-2015-AVI-236, CERTFR-2015-AVI-328, CVE-2014-9715, DSA-3237-1, openSUSE-SU-2016:0301-1, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, USN-2611-1, USN-2612-1, USN-2613-1, USN-2614-1, VIGILANCE-VUL-16553.

Description of the vulnerability

The Linux kernel uses the Netfilter firewall, which implements the connection tracking in Conntrack.

The nf_ct_ext structure stores extensions required to track some protocols. However, the size of these extensions is stored in an 8 bit integer, whereas the cumulated size can be larger than 256 bytes in some cases (PPTP + NAT). Netfilter then tries to read an unreachable memory area, which triggers a fatal error.

An attacker can therefore send some packets requiring a complex analysis by Netfilter Conntrack, in order to trigger a denial of service of the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1573

Linux kernel: denial of service via nft_flush_table

Synthesis of the vulnerability

A local privileged attacker can force an error in the nft_flush_table() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux, netfilter, RHEL.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: privileged shell.
Creation date: 10/02/2015.
Identifiers: 1190966, CERTFR-2015-AVI-263, CVE-2015-1573, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, VIGILANCE-VUL-16138.

Description of the vulnerability

The Linux kernel uses the netfilter firewall, which uses tables which can be flushed by users with the NET_CAP_ADMIN capability.

However, the nft_flush_table() function of the net/netfilter/nf_tables_api.c file can be called to flush twice the same table, which triggers a fatal error.

A local privileged attacker can therefore force an error in the nft_flush_table() function of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-8160

Linux kernel: bypassing SCTP Firewall rules

Synthesis of the vulnerability

When the Conntrack module was not loaded, an attacker can bypass SCTP rules of the Linux kernel firewall.
Impacted products: Debian, Linux, netfilter, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data flow.
Provenance: intranet client.
Creation date: 14/01/2015.
Identifiers: CERTFR-2015-AVI-081, CERTFR-2015-AVI-085, CERTFR-2015-AVI-093, CERTFR-2015-AVI-165, CVE-2014-8160, DSA-3170-1, MDVSA-2015:057, MDVSA-2015:058, openSUSE-SU-2015:0713-1, openSUSE-SU-2015:0714-1, RHSA-2015:0284-03, RHSA-2015:0290-01, RHSA-2015:0674-01, SUSE-SU-2015:0529-1, SUSE-SU-2015:0581-1, SUSE-SU-2015:0652-1, SUSE-SU-2015:0736-1, USN-2513-1, USN-2514-1, USN-2515-1, USN-2515-2, USN-2516-1, USN-2516-2, USN-2516-3, USN-2517-1, USN-2518-1, VIGILANCE-VUL-15960.

Description of the vulnerability

The SCTP protocol is used to transport several message streams, multiplexed over one connection.

The iptables firewall supports rules for the SCTP protocol. However, if the SCTP Conntrack module is not loaded, all SCTP streams are allowed.

When the Conntrack module was not loaded, an attacker can therefore bypass SCTP rules of the Linux kernel firewall.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-1690

Linux kernel: information disclosure via nf_nat_irc

Synthesis of the vulnerability

An attacker, who communicates via IRC, can obtain fragments of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux, netfilter, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/01/2014.
Identifiers: BID-65180, CERTFR-2014-AVI-107, CVE-2014-0025-REJECT, CVE-2014-1690, openSUSE-SU-2014:0677-1, openSUSE-SU-2014:0678-1, RHSA-2014:0439-01, USN-2137-1, USN-2140-1, USN-2158-1, VIGILANCE-VUL-14146.

Description of the vulnerability

The NetFilter firewall supports the tracking of IRC connections (NF_NAT_IRC).

However the help() function of the net/netfilter/nf_nat_irc.c file does not initialize a memory area, before inserting it in the IRC packet, which is then sent on the network.

An attacker, who communicates via IRC, can therefore obtain fragments of the Linux kernel, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-0007

Linux kernel: altering ebtables

Synthesis of the vulnerability

When Linux is used in Bridge mode, with an ebtables mode, a local attacker can modify rules.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, netfilter, NLD, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: data flow.
Provenance: user shell.
Creation date: 13/01/2010.
Identifiers: BID-37762, CERTA-2002-AVI-252, CERTA-2010-AVI-080, CVE-2010-0007, DSA-1996-1, DSA-2003-1, DSA-2004-1, FEDORA-2010-0919, MDVSA-2011:051, RHSA-2010:0146-01, RHSA-2010:0147-01, RHSA-2010:0161-01, SOL16473, SUSE-SA:2010:007, SUSE-SA:2010:010, SUSE-SA:2010:012, SUSE-SA:2010:013, SUSE-SA:2010:014, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9345, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

When Linux is used in Bridge mode, the administrator can use the ebtables firewall tool to define network rules.

The do_ebt_set_ctl() and do_ebt_get_ctl() functions of the net/bridge/netfilter/ebtables.c file are used to change and read information associated to these rules.

However, these functions do no check if the caller has the CAP_NET_ADMIN capability.

A local unprivileged attacker can therefore alter ebtables rules.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-3642

Linux kernel: denial of service of nf_conntrack_h323

Synthesis of the vulnerability

An attacker can use malicious H.323 packets in order to generate a denial of service in Netfilter.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, netfilter.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 09/07/2007.
Identifiers: BID-24818, CVE-2007-3642, DSA-1356-1, FEDORA-2007-1130, FEDORA-2007-655, MDKSA-2007:195, VIGILANCE-VUL-6974.

Description of the vulnerability

The H.323 protocol encodes its data via ASN.1. The ASN.1 language supports several types: INTEGER, BOOLEAN, CHOICE, etc.

The decode_choice() function of net/netfilter/nf_conntrack_h323_asn1.c file decodes the CHOICE type. However, this function does not check if index is too big. This error leads to a NULL pointer dereference.

An attacker can therefore send a malicious H.323 packet in order to stop kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-1496

Linux kernel: denials of service of nfnetlink_log

Synthesis of the vulnerability

An attacker can generate four denials of service via nfnetlink_log() function.
Impacted products: Debian, Linux, Mandriva Linux, netfilter, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/05/2007.
Identifiers: BID-22946, CERTA-2002-AVI-088, CVE-2007-1496, DSA-1289-1, MDKSA-2007:171, RHSA-2007:0347-01, SUSE-SA:2007:043, VIGILANCE-VUL-6813.

Description of the vulnerability

An attacker can generate several denials of service related to errors in nfnetlink_log() function.

When a bridged packet is analyzed, the skb->nf_bridge->physoutdev pointer is dereferenced in nfnetlink_log() without been initialized. [severity:2/4]

A NULL pointer can be dereferenced during a call to nfulnl_recv_config(). [severity:2/4]

A NULL pointer can be dereferenced when there are several packets in the same netlink message. [severity:2/4]

The instance_put() function may free a pointer later used by spin_unlock_bh(). [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about iptables: