Bug 2061942 - Prevent port-shadow attacks in sample nat config
Summary: Prevent port-shadow attacks in sample nat config
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: nftables
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.8
Assignee: Phil Sutter
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On: 2061917 2061940
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-08 18:30 UTC by Phil Sutter
Modified: 2023-08-09 07:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2061940
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-114876 0 None None None 2022-03-08 18:47:28 UTC

Description Phil Sutter 2022-03-08 18:30:12 UTC 
+++ This bug was initially created as a clone of Bug #2061940 +++

+++ This bug was initially created as a clone of Bug #2061917 +++

The respective kernel commit is about to be reverted as it might break a corner-case:

https://lore.kernel.org/netfilter-devel/20220308125924.6708-1-fw@strlen.de/

Deploy an equivalent mitigation in user space so at least new setups are fine once the revert reaches distribution kernels:

@@ -18,13 +18,21 @@ table ip nftables_svc {
                elements = { 192.168.122.0/24 }
        }
 
+       # force port randomization for non-locally originated connections using
+       # suspicious port values to prevent port-shadow attacks, i.e.
+       # accidental matching of new inbound connections vs. existing ones
+       chain do_masquerade {
+               meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+               masquerade
+       }
+
        # base-chain to manipulate conntrack in postrouting,
        # will see packets for new or related traffic only
        chain POSTROUTING {
                type nat hook postrouting priority srcnat + 20
                policy accept
 
-               iifname @masq_interfaces oifname != @masq_interfaces masquerade
-               ip saddr @masq_ips masquerade
+               iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+               ip saddr @masq_ips jump do_masquerade
        }
 }

--- Additional comment from Phil Sutter on 2022-03-08 18:22:30 UTC ---

For reference, this is about CVE-2021-3773:

https://access.redhat.com/security/cve/CVE-2021-3773
https://www.openwall.com/lists/oss-security/2021/09/08/3
https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html
Comment 1 Phil Sutter 2022-08-31 17:02:52 UTC 
Missed RHEL8.7, proposing for RHEL8.8.
Comment 2 Phil Sutter 2023-02-22 08:55:39 UTC 
Missed RHEL8.8, proposing for RHEL8.9.
Note You need to log in before you can comment on or make changes to this bug.