The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of netfilter iptables

vulnerability CVE-2016-3134 CVE-2016-3135

Linux kernel: memory corruption via IPT_SO_SET_REPLACE

Synthesis of the vulnerability

A local attacker with CONFIG_USER_NS can generate a memory corruption via the IPT_SO_SET_REPLACE option of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Impacted products: Debian, Fedora, Android OS, Linux, netfilter, openSUSE, openSUSE Leap, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/03/2016.
Identifiers: CERTFR-2016-AVI-099, CERTFR-2016-AVI-267, CERTFR-2016-AVI-278, CVE-2016-3134, CVE-2016-3135, DLA-516-1, DSA-3607-1, FEDORA-2016-02ed08bf15, FEDORA-2016-3a57b19360, openSUSE-SU-2016:1641-1, openSUSE-SU-2016:2144-1, openSUSE-SU-2016:2290-1, openSUSE-SU-2016:2649-1, RHSA-2016:1847-01, RHSA-2016:1875-01, RHSA-2016:1883-01, SUSE-SU-2016:1672-1, SUSE-SU-2016:1690-1, SUSE-SU-2016:1696-1, SUSE-SU-2016:1764-1, SUSE-SU-2016:1985-1, SUSE-SU-2016:2074-1, SUSE-SU-2016:2245-1, USN-2929-1, USN-2929-2, USN-2930-1, USN-2930-2, USN-2930-3, USN-2931-1, USN-2932-1, USN-3049-1, USN-3050-1, USN-3051-1, USN-3052-1, USN-3053-1, USN-3054-1, USN-3055-1, USN-3056-1, USN-3057-1, VIGILANCE-VUL-19150.

Description of the vulnerability

The Linux kernel implements the IPT_SO_SET_REPLACE option of setsockopt() which alters a rule of netfilter iptables. The usage of this option requires no privileges when CONFIG_USER_NS=y.

However, an attacker can create an ipt_entry structure with a next_offset field too large, which leads to a memory corruption.

A local attacker with CONFIG_USER_NS can therefore generate a memory corruption via the IPT_SO_SET_REPLACE option of the Linux kernel, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-6496

Linux kernel: denial of service via Conntrack DCCP SCTP ICMPv6

Synthesis of the vulnerability

An attacker can send DCCP, SCTP or ICMPv6 packets to the Linux kernel, in order to trigger a denial of service.
Impacted products: Debian, Fedora, Linux, netfilter, openSUSE.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 18/08/2015.
Identifiers: 910, CVE-2015-6496, DSA-3341-1, FEDORA-2015-1aee5e6f0b, FEDORA-2015-5eb2131441, openSUSE-SU-2015:1688-1, VIGILANCE-VUL-17691.

Description of the vulnerability

The Linux kernel uses the Netfilter firewall, which implements connection tracking in Conntrack.

The DCCP, SCTP and ICMPv6 modules are optional. However, when a packet is received, and when these modules are not loaded, a fatal error occurs.

An attacker can therefore send DCCP, SCTP or ICMPv6 packets to the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-9715

Linux kernel: denial of service via Netfilter Conntrack Ext

Synthesis of the vulnerability

An attacker can send some packets requiring a complex analysis by Netfilter Conntrack, in order to trigger a denial of service of the Linux kernel.
Impacted products: Debian, Linux, netfilter, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: intranet client.
Creation date: 08/04/2015.
Identifiers: CERTFR-2015-AVI-236, CERTFR-2015-AVI-328, CVE-2014-9715, DSA-3237-1, openSUSE-SU-2016:0301-1, RHSA-2015:1534-01, RHSA-2015:1564-01, RHSA-2015:1565-01, USN-2611-1, USN-2612-1, USN-2613-1, USN-2614-1, VIGILANCE-VUL-16553.

Description of the vulnerability

The Linux kernel uses the Netfilter firewall, which implements the connection tracking in Conntrack.

The nf_ct_ext structure stores extensions required to track some protocols. However, the size of these extensions is stored in an 8 bit integer, whereas the cumulated size can be larger than 256 bytes in some cases (PPTP + NAT). Netfilter then tries to read an unreachable memory area, which triggers a fatal error.

An attacker can therefore send some packets requiring a complex analysis by Netfilter Conntrack, in order to trigger a denial of service of the Linux kernel.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-1573

Linux kernel: denial of service via nft_flush_table

Synthesis of the vulnerability

A local privileged attacker can force an error in the nft_flush_table() function of the Linux kernel, in order to trigger a denial of service.
Impacted products: Linux, netfilter, RHEL.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: privileged shell.
Creation date: 10/02/2015.
Identifiers: 1190966, CERTFR-2015-AVI-263, CVE-2015-1573, RHSA-2015:1137-01, RHSA-2015:1138-01, RHSA-2015:1139-01, VIGILANCE-VUL-16138.

Description of the vulnerability

The Linux kernel uses the netfilter firewall, which uses tables which can be flushed by users with the NET_CAP_ADMIN capability.

However, the nft_flush_table() function of the net/netfilter/nf_tables_api.c file can be called to flush twice the same table, which triggers a fatal error.

A local privileged attacker can therefore force an error in the nft_flush_table() function of the Linux kernel, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2014-8160

Linux kernel: bypassing SCTP Firewall rules

Synthesis of the vulnerability

When the Conntrack module was not loaded, an attacker can bypass SCTP rules of the Linux kernel firewall.
Impacted products: Debian, Linux, netfilter, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data flow.
Provenance: intranet client.
Creation date: 14/01/2015.
Identifiers: CERTFR-2015-AVI-081, CERTFR-2015-AVI-085, CERTFR-2015-AVI-093, CERTFR-2015-AVI-165, CVE-2014-8160, DSA-3170-1, MDVSA-2015:057, MDVSA-2015:058, openSUSE-SU-2015:0713-1, openSUSE-SU-2015:0714-1, RHSA-2015:0284-03, RHSA-2015:0290-01, RHSA-2015:0674-01, SUSE-SU-2015:0529-1, SUSE-SU-2015:0581-1, SUSE-SU-2015:0652-1, SUSE-SU-2015:0736-1, USN-2513-1, USN-2514-1, USN-2515-1, USN-2515-2, USN-2516-1, USN-2516-2, USN-2516-3, USN-2517-1, USN-2518-1, VIGILANCE-VUL-15960.

Description of the vulnerability

The SCTP protocol is used to transport several message streams, multiplexed over one connection.

The iptables firewall supports rules for the SCTP protocol. However, if the SCTP Conntrack module is not loaded, all SCTP streams are allowed.

When the Conntrack module was not loaded, an attacker can therefore bypass SCTP rules of the Linux kernel firewall.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-1690

Linux kernel: information disclosure via nf_nat_irc

Synthesis of the vulnerability

An attacker, who communicates via IRC, can obtain fragments of the Linux kernel, in order to obtain sensitive information.
Impacted products: Linux, netfilter, openSUSE, RHEL, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 28/01/2014.
Identifiers: BID-65180, CERTFR-2014-AVI-107, CVE-2014-0025-REJECT, CVE-2014-1690, openSUSE-SU-2014:0677-1, openSUSE-SU-2014:0678-1, RHSA-2014:0439-01, USN-2137-1, USN-2140-1, USN-2158-1, VIGILANCE-VUL-14146.

Description of the vulnerability

The NetFilter firewall supports the tracking of IRC connections (NF_NAT_IRC).

However the help() function of the net/netfilter/nf_nat_irc.c file does not initialize a memory area, before inserting it in the IRC packet, which is then sent on the network.

An attacker, who communicates via IRC, can therefore obtain fragments of the Linux kernel, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-0007

Linux kernel: altering ebtables

Synthesis of the vulnerability

When Linux is used in Bridge mode, with an ebtables mode, a local attacker can modify rules.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, Linux, netfilter, NLD, openSUSE, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: data flow.
Provenance: user shell.
Creation date: 13/01/2010.
Identifiers: BID-37762, CERTA-2002-AVI-252, CERTA-2010-AVI-080, CVE-2010-0007, DSA-1996-1, DSA-2003-1, DSA-2004-1, FEDORA-2010-0919, MDVSA-2011:051, RHSA-2010:0146-01, RHSA-2010:0147-01, RHSA-2010:0161-01, SOL16473, SUSE-SA:2010:007, SUSE-SA:2010:010, SUSE-SA:2010:012, SUSE-SA:2010:013, SUSE-SA:2010:014, SUSE-SU-2011:0928-1, VIGILANCE-VUL-9345, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

When Linux is used in Bridge mode, the administrator can use the ebtables firewall tool to define network rules.

The do_ebt_set_ctl() and do_ebt_get_ctl() functions of the net/bridge/netfilter/ebtables.c file are used to change and read information associated to these rules.

However, these functions do no check if the caller has the CAP_NET_ADMIN capability.

A local unprivileged attacker can therefore alter ebtables rules.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2007-3642

Linux kernel: denial of service of nf_conntrack_h323

Synthesis of the vulnerability

An attacker can use malicious H.323 packets in order to generate a denial of service in Netfilter.
Impacted products: Debian, Fedora, Linux, Mandriva Linux, netfilter.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 09/07/2007.
Identifiers: BID-24818, CVE-2007-3642, DSA-1356-1, FEDORA-2007-1130, FEDORA-2007-655, MDKSA-2007:195, VIGILANCE-VUL-6974.

Description of the vulnerability

The H.323 protocol encodes its data via ASN.1. The ASN.1 language supports several types: INTEGER, BOOLEAN, CHOICE, etc.

The decode_choice() function of net/netfilter/nf_conntrack_h323_asn1.c file decodes the CHOICE type. However, this function does not check if index is too big. This error leads to a NULL pointer dereference.

An attacker can therefore send a malicious H.323 packet in order to stop kernel.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-1496

Linux kernel: denials of service of nfnetlink_log

Synthesis of the vulnerability

An attacker can generate four denials of service via nfnetlink_log() function.
Impacted products: Debian, Linux, Mandriva Linux, netfilter, NLD, OES, openSUSE, RHEL, SLES.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/05/2007.
Identifiers: BID-22946, CERTA-2002-AVI-088, CVE-2007-1496, DSA-1289-1, MDKSA-2007:171, RHSA-2007:0347-01, SUSE-SA:2007:043, VIGILANCE-VUL-6813.

Description of the vulnerability

An attacker can generate several denials of service related to errors in nfnetlink_log() function.

When a bridged packet is analyzed, the skb->nf_bridge->physoutdev pointer is dereferenced in nfnetlink_log() without been initialized. [severity:2/4]

A NULL pointer can be dereferenced during a call to nfulnl_recv_config(). [severity:2/4]

A NULL pointer can be dereferenced when there are several packets in the same netlink message. [severity:2/4]

The instance_put() function may free a pointer later used by spin_unlock_bh(). [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2007-2242

IPv6: vulnerabilities of IPv6 Routing Header

Synthesis of the vulnerability

An attacker can send IPv6 packets in order to generate a denial of service or to obtain information.
Impacted products: IOS by Cisco, Cisco Router, Fedora, FreeBSD, Juniper J-Series, Junos OS, Linux, Mandriva Linux, Mandriva NF, NetBSD, netfilter, OpenBSD, openSUSE, IP protocol, RHEL, SLES.
Severity: 3/4.
Consequences: data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 24/04/2007.
Identifiers: BID-23615, CERTA-2007-AVI-389, CVE-2007-2242, FEDORA-2007-482, FEDORA-2007-483, FreeBSD-SA-07:03.ipv6, MDKSA-2007:171, MDKSA-2007:196, MDKSA-2007:216, NetBSD-SA2007-005, RHSA-2007:0347-01, SUSE-SA:2007:051, SUSE-SA:2008:006, VIGILANCE-VUL-6761, VU#267289.

Description of the vulnerability

The IPv6 protocol defines optional headers: Hop-by-Hop, Routing, Fragment, etc. The Routing header can have several types:
 - 0 : source route (RFC 2460)
 - 1 : Nimrod
 - 2 : mobility (RFC 3775)
Type 0 permits to define routers to traverse, which leads to several vulnerabilities.

By sending packets with a short Hop Limit (TTL) (like traceroute) and indicating parallel routers, an attacker can discover targeted network topology. [severity:3/4]

An attacker can bounce on internal network, if firewall does not correctly filter Routing headers. [severity:3/4]

An attacker can create a packet indicating to go through:
 - router1, then
 - router2, then
 - router1, then
 - router2, then
 - etc. (loop of forty hosts)
This packet thus loops 40 times on the network, which generates a denial of service. [severity:3/4]

Previous denial of service can be amplified using IPv4-IPv6 relays, because going though IPv6-IPv4-IPv4-...-IPv4-IPv6 routers decrements IPv4 TTL N times, whereas IPv6 Hop Limit is only decremented once. [severity:3/4]

A loop between two routers can be seen as an electronic capacity, because it delays the reception of packet by the final computer. An attacker can therefore:
 - send 1000 SYN packets with a "delay" of 500ms
 - send 1000 SYN packets with a delay of 400ms
 - send 1000 SYN packets with a delay of 300ms
 - send 1000 SYN packets with a delay of 200ms
 - send 1000 SYN packets with a delay of 100ms
 - send 1000 SYN packets without delay
The destination computer will thus receive 6000 packets in 100ms, whereas attacker can only send 1000 packets in 100ms. [severity:3/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about netfilter iptables: