Bug 2061942

Summary: Prevent port-shadow attacks in sample nat config
Product: Red Hat Enterprise Linux 8 Reporter: Phil Sutter <psutter>
Component: nftablesAssignee: Phil Sutter <psutter>
Status: ASSIGNED --- QA Contact: Tomas Dolezal <todoleza>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: extras-qa, jpeska, kevin, psutter, qe-baseos-daemons, todoleza
Target Milestone: rcKeywords: Triaged
Target Release: 8.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2061940 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2061917, 2061940    
Bug Blocks:    

Description Phil Sutter 2022-03-08 18:30:12 UTC 
+++ This bug was initially created as a clone of Bug #2061940 +++

+++ This bug was initially created as a clone of Bug #2061917 +++

The respective kernel commit is about to be reverted as it might break a corner-case:

https://lore.kernel.org/netfilter-devel/20220308125924.6708-1-fw@strlen.de/

Deploy an equivalent mitigation in user space so at least new setups are fine once the revert reaches distribution kernels:

@@ -18,13 +18,21 @@ table ip nftables_svc {
                elements = { 192.168.122.0/24 }
        }
 
+       # force port randomization for non-locally originated connections using
+       # suspicious port values to prevent port-shadow attacks, i.e.
+       # accidental matching of new inbound connections vs. existing ones
+       chain do_masquerade {
+               meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+               masquerade
+       }
+
        # base-chain to manipulate conntrack in postrouting,
        # will see packets for new or related traffic only
        chain POSTROUTING {
                type nat hook postrouting priority srcnat + 20
                policy accept
 
-               iifname @masq_interfaces oifname != @masq_interfaces masquerade
-               ip saddr @masq_ips masquerade
+               iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+               ip saddr @masq_ips jump do_masquerade
        }
 }

--- Additional comment from Phil Sutter on 2022-03-08 18:22:30 UTC ---

For reference, this is about CVE-2021-3773:

https://access.redhat.com/security/cve/CVE-2021-3773
https://www.openwall.com/lists/oss-security/2021/09/08/3
https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html
Comment 1 Phil Sutter 2022-08-31 17:02:52 UTC 
Missed RHEL8.7, proposing for RHEL8.8.
Comment 2 Phil Sutter 2023-02-22 08:55:39 UTC 
Missed RHEL8.8, proposing for RHEL8.9.