Bug 36820 - Security flaw in Linux 2.4 IPTables using FTP port
Summary: Security flaw in Linux 2.4 IPTables using FTP port
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: kernel   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
high
medium
Target Milestone: ---
Assignee: Michael K. Johnson
QA Contact: Brock Organ
URL: http://www.tempest.com.br/advisories/...
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-04-20 13:13 UTC by Rob McMillin
Modified: 2007-03-27 03:43 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-04-20 14:41:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Rob McMillin 2001-04-20 13:13:18 UTC
From the website above:

If an attacker can establish an FTP connection passing through a Linux
2.4.x IPTables
firewall with the state options allowing "related" connections (almost 100%
do), he can insert
entries into the firewall's RELATED ruleset table allowing the FTP Server
to connect to any host and port protected by the firewalls rules, including
the firewall itself. 

====

You probably already have this but I can't find it as a security-level bug
in the kernel. Hope this isn't a duplicate (probably is -- this appeared on
http://www.slashdot.org as a featured story).

Comment 1 Arjan van de Ven 2001-04-20 13:19:42 UTC
This is a known issue and an advisory will be made public any time now (if it
isn't out already). It comes down to: default installs are NOT vulnerable.
Only if you change from ipchains to iptables and then select FTP NAT with the
'related' feature there is a problem. That is a "don't do that then" for now.

Comment 2 Arjan van de Ven 2001-04-26 11:41:16 UTC
http://www.securityfocus.com/frames/?content=/templates/advisory.html%3Fid%3D3231

has the advisory for a while now; I'm not sure why our own site doesn't show it.


Note You need to log in before you can comment on or make changes to this bug.