Netfilter (iptables) Vulnerability Found, Patch Available
The Netfilter team has discovered a vulnerability in the netfilter code that could allow unwanted inbound port access. Patches are available.
Specifically the 'conntrack' module which does the pseudo guesswork of tracking connections and dynamically opening ports, etc, has a netmask that is too broad for IRC DCC CHAT/SEND requests. What this means is that IF someone from the INSIDE requests makes an IRC connection OUTSIDE then inbound ports will be unnecessarily opened up.
This does not affect ALL iptables users. Only those with rules using the conntrack module and with internal IRC requests outbound.
Here is the specific blurb that may pertain to your installation from the announcement:
IMPLICATIONS
============
The implications depend on the ruleset, since connection tracking only
assigns state to packets. What to do with this state information is up
to the user.
However, a big number of installation seem to have a very
permissive \"-m state --state RELATED -j ACCEPT\" rule. In this case,
as soon as somebody from inside the private network issues a IRC DCC
request, a single connection from the outside network to the port number
stated in the DCC request on any (internal) IP address will get accepted.
If you use the 'state --state RELATED -j ACCEPT' in your ruleset then you probably do want to apply the patches.
For more info see the links. Also note that for RedHat distro users RedHat has made a new Kernel RPM set that includes this and other interim fixes.
