CVE-2003-0187
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:30:25
NMCOS    

[原文]The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts.


[CNNVD]Netfilter跟踪连接远程拒绝服务攻击漏洞(CNNVD-200308-180)

        
        Netfilter是一款Linux Kernel下的防火墙构架实现。
        Netfilter在处理连接跟踪机制时存在问题,远程攻击者可以利用这个漏洞对使用连接跟踪模块的系统进行拒绝服务攻击。
        2.4.20内核介绍了一个新的改变,是对一般连接列表支持。连接跟踪的核心是依据以前的识别'UNCONFIRMED'连接的行为。'UNCONFIRMED'也就是说我们只能看到一个方向的连接,由于连接跟踪不能识别连接是否正确,所以它们被分配了一个很高的超时值。
        Netfilter发布了一个补丁使连接跟踪器不再依靠Linux连接列表API的任何特定行为。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:260Netfilter Denial of Service
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0187
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0187
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-180
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105986028426824&w=2
(UNKNOWN)  BUGTRAQ  20030802 [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS

- 漏洞信息

Netfilter跟踪连接远程拒绝服务攻击漏洞
中危 设计错误
2003-08-27 00:00:00 2005-10-20 00:00:00
远程  
        
        Netfilter是一款Linux Kernel下的防火墙构架实现。
        Netfilter在处理连接跟踪机制时存在问题,远程攻击者可以利用这个漏洞对使用连接跟踪模块的系统进行拒绝服务攻击。
        2.4.20内核介绍了一个新的改变,是对一般连接列表支持。连接跟踪的核心是依据以前的识别'UNCONFIRMED'连接的行为。'UNCONFIRMED'也就是说我们只能看到一个方向的连接,由于连接跟踪不能识别连接是否正确,所以它们被分配了一个很高的超时值。
        Netfilter发布了一个补丁使连接跟踪器不再依靠Linux连接列表API的任何特定行为。
        

- 公告与补丁

        厂商补丁:
        Linux
        -----
        采用如下补丁:
        diff -urN --exclude-from=diff.exclude linux-2.4.20-base/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.4.20-del/include/linux/netfilter_ipv4/ip_conntrack.h
        --- linux-2.4.20-base/include/linux/netfilter_ipv4/ip_conntrack.h Fri Nov 29 00:53:15 2002
        +++ linux-2.4.20-del/include/linux/netfilter_ipv4/ip_conntrack.h Fri Feb 21 17:01:38 2003
         -6,6 +6,7
        
         #include
         #include
        +#include
         #include
        
         enum ip_conntrack_info
         -41,6 +42,10
         /* Conntrack should never be early-expired. */
         IPS_ASSURED_BIT = 2,
         IPS_ASSURED = (1 << IPS_ASSURED_BIT),
        +
        + /* Connection is confirmed: originating packet has left box */
        + IPS_CONFIRMED_BIT = 3,
        + IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
         };
        
         #include
         -159,7 +164,7
         struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
        
         /* Have we seen traffic both ways yet? (bitset) */
        - volatile unsigned long status;
        + unsigned long status;
        
         /* Timer function; drops refcnt when it goes off. */
         struct timer_list timeout;
         -254,7 +259,7
         /* It's confirmed if it is, or has been in the hash table. */
         static inline int is_confirmed(struct ip_conntrack *ct)
         {
        - return ct->tuplehash[IP_CT_DIR_ORIGINAL].list.next != NULL;
        + return test_bit(IPS_CONFIRMED_BIT, &ct->status);
         }
        
         extern unsigned int ip_conntrack_htable_size;
        diff -urN --exclude-from=diff.exclude linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core.c
        --- linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_core.c Tue Feb 18 17:08:21 2003
        +++ linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_core.c Fri Feb 21 17:01:39 2003
         -292,9 +292,6
         {
         DEBUGP("clean_from_lists(%p)\n", ct);
         MUST_BE_WRITE_LOCKED(&ip_conntrack_lock);
        - /* Remove from both hash lists: must not NULL out next ptrs,
        - otherwise we'll look unconfirmed. Fortunately, LIST_DELETE
        - doesn't do this. --RR */
         LIST_DELETE(&ip_conntrack_hash
         [hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)],
         &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
         -467,6 +464,7
         ct->timeout.expires += jiffies;
         add_timer(&ct->timeout);
         atomic_inc(&ct->ct_general.use);
        + set_bit(IPS_CONFIRMED_BIT, &ct->status);
         WRITE_UNLOCK(&ip_conntrack_lock);
         return NF_ACCEPT;
         }
         -585,7 +583,7
         connection. Too bad: we're in trouble anyway. */
         static inline int unreplied(const struct ip_conntrack_tuple_hash *i)
         {
        - return !(i->ctrack->status & IPS_ASSURED);
        + return !(test_bit(IPS_ASSURED_BIT, &i->ctrack->status));
         }
        
         static int early_drop(struct list_head *chain)
         -720,7 +718,7
         conntrack, expected);
         /* Welcome, Mr. Bond. We've been expecting you... */
         IP_NF_ASSERT(master_ct(conntrack));
        - conntrack->status = IPS_EXPECTED;
        + __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
         conntrack->master = expected;
         expected->sibling = conntrack;
         LIST_DELETE(&ip_conntrack_expect_list, expected);
         -768,11 +766,11
         *set_reply = 1;
         } else {
         /* Once we've had two way comms, always ESTABLISHED. */
        - if (h->ctrack->status & IPS_SEEN_REPLY) {
        + if (test_bit(IPS_SEEN_REPLY_BIT, &h->ctrack->status)) {
         DEBUGP("ip_conntrack_in: normal packet for %p\n",
         h->ctrack);
         *ctinfo = IP_CT_ESTABLISHED;
        - } else if (h->ctrack->status & IPS_EXPECTED) {
        + } else if (test_bit(IPS_EXPECTED_BIT, &h->ctrack->status)) {
         DEBUGP("ip_conntrack_in: related packet for %p\n",
         h->ctrack);
         *ctinfo = IP_CT_RELATED;
        diff -urN --exclude-from=diff.exclude linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
        --- linux-2.4.20-base/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Tue Feb 18 17:07:26 2003
        +++ linux-2.4.20-del/net/ipv4/netfilter/ip_conntrack_proto_tcp.c Fri Feb 21 17:03:35 2003
         -192,7 +192,7
         have an established connection: this is a fairly common
         problem case, so we can delete the conntrack
         immediately. --RR */
        - if (!(conntrack->status & IPS_SEEN_REPLY) && tcph->rst) {
        + if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) && tcph->rst) {
         WRITE_UNLOCK(&tcp_lock);
         &

- 漏洞信息

6061
Linux IPTables / Netfilter Connection Tracking Linked List DoS
Remote / Network Access Denial of Service, Input Manipulation, Misconfiguration
Loss of Availability
Exploit Public

- 漏洞描述

The netfilter (iptables) module of the Linux kernel contains a flaw that may allow a remote denial of service. The issue is triggered only when the connection tracking module ip_conntrack is loaded. When a large number of packets are sent to a machine so configured, one-way traffic packets are marked incorrectly as UNCONFIRMED statein the linked list, and assigned a very high timeout. This eventually consumes large amounts of system memory, and will result in loss of availability for the platform.

- 时间线

2003-08-02 Unknow
2003-08-02 Unknow

- 解决方案

Upgrade to version 2.4.21 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch, or by disabling connection tracking.

- 相关参考

- 漏洞作者

- 漏洞信息

Netfilter Connection Tracking Denial of Service Vulnerability
Design Error 8331
Yes No
2003-08-02 12:00:00 2009-07-11 10:56:00
Announced by the Netfilter Core Team.

- 受影响的程序版本

RedHat kernel-utils-2.4-8.29.i386.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-utils-2.4-8.13.i386.rpm
+ RedHat Linux 8.0
RedHat kernel-utils-2.4-7.4.i386.rpm
+ RedHat Linux 7.3
RedHat kernel-uml-2.4.18-14.i686.rpm
+ RedHat Linux 8.0
RedHat kernel-source-2.4.7-10.i386.rpm
+ RedHat Linux 7.2
RedHat kernel-source-2.4.20-8.i386.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-source-2.4.2-2.i386.rpm
+ RedHat Linux 7.1
RedHat kernel-source-2.4.18-3.i386.rpm
+ RedHat Linux 7.3
RedHat kernel-source-2.4.18-14.i386.rpm
+ RedHat Linux 8.0
RedHat kernel-smp-2.4.7-10.i686.rpm
+ RedHat Linux 7.2
RedHat kernel-smp-2.4.7-10.i586.rpm
+ RedHat Linux 7.2
RedHat kernel-smp-2.4.7-10.athlon.rpm
+ RedHat Linux 7.2
RedHat kernel-smp-2.4.20-8.i686.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-smp-2.4.20-8.athlon.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-smp-2.4.2-2.i686.rpm
+ RedHat Linux 7.1
RedHat kernel-smp-2.4.2-2.i586.rpm
+ RedHat Linux 7.1
RedHat kernel-smp-2.4.18-3.i686.rpm
+ RedHat Linux 7.3
RedHat kernel-smp-2.4.18-3.i586.rpm
+ RedHat Linux 7.3
RedHat kernel-smp-2.4.18-3.athlon.rpm
+ RedHat Linux 7.3
RedHat kernel-smp-2.4.18-14.i686.rpm
+ RedHat Linux 8.0
RedHat kernel-smp-2.4.18-14.athlon.rpm
+ RedHat Linux 8.0
RedHat kernel-headers-2.4.7-10.i386.rpm
+ RedHat Linux 7.2
RedHat kernel-headers-2.4.2-2.i386.rpm
+ RedHat Linux 7.1
RedHat kernel-enterprise-2.4.2-2.i686.rpm
+ RedHat Linux 7.1
RedHat kernel-doc-2.4.7-10.i386.rpm
+ RedHat Linux 7.2
RedHat kernel-doc-2.4.20-8.i386.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-doc-2.4.2-2.i386.rpm
+ RedHat Linux 7.1
RedHat kernel-doc-2.4.18-3.i386.rpm
+ RedHat Linux 7.3
RedHat kernel-doc-2.4.18-14.i386.rpm
+ RedHat Linux 8.0
RedHat kernel-debug-2.4.18-3.i686.rpm
+ RedHat Linux 7.3
RedHat kernel-debug-2.4.18-14.i686.rpm
+ RedHat Linux 8.0
RedHat kernel-BOOT-2.4.7-10.i386.rpm
+ RedHat Linux 7.2
RedHat kernel-BOOT-2.4.20-8.i386.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-BOOT-2.4.2-2.i386.rpm
+ RedHat Linux 7.1
RedHat kernel-BOOT-2.4.18-3.i386.rpm
+ RedHat Linux 7.3
RedHat kernel-BOOT-2.4.18-14.i386.rpm
+ RedHat Linux 8.0
RedHat kernel-bigmem-2.4.20-8.i686.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-bigmem-2.4.18-3.i686.rpm
+ RedHat Linux 7.3
RedHat kernel-bigmem-2.4.18-14.i686.rpm
+ RedHat Linux 8.0
RedHat kernel-2.4.7-10.i686.rpm
+ RedHat Linux 7.2
RedHat kernel-2.4.7-10.i386.rpm
+ RedHat Linux 7.2
RedHat kernel-2.4.7-10.athlon.rpm
+ RedHat Linux 7.2
RedHat kernel-2.4.20-8.i686.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-2.4.20-8.i586.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-2.4.20-8.athlon.rpm
+ RedHat Linux 9.0 i386
RedHat kernel-2.4.2-2.i686.rpm
+ RedHat Linux 7.1
RedHat kernel-2.4.2-2.i586.rpm
+ RedHat Linux 7.1
RedHat kernel-2.4.2-2.i386.rpm
+ RedHat Linux 7.1
RedHat kernel-2.4.18-3.i686.rpm
+ RedHat Linux 7.3
RedHat kernel-2.4.18-3.i386.rpm
+ RedHat Linux 7.3
RedHat kernel-2.4.18-3.athlon.rpm
+ RedHat Linux 7.3
RedHat kernel-2.4.18-14.i686.rpm
+ RedHat Linux 8.0
RedHat kernel-2.4.18-14.i586.rpm
+ RedHat Linux 8.0
RedHat kernel-2.4.18-14.athlon.rpm
+ RedHat Linux 8.0
Linux kernel 2.4.20
+ CRUX CRUX Linux 1.0
+ Gentoo Linux 1.4
+ Gentoo Linux 1.2
+ RedHat Linux 9.0 i386
+ Slackware Linux 9.0
+ WOLK WOLK 4.4 s

- 漏洞讨论

A fix for a denial of service vulnerability has been reported by the Netfilter project. Linux 2.4.20 systems with kernels built supporting the CONFIG_IP_NF_CONNTRACK option or with the ip_conntrack module loaded are vulnerable. Other kernel versions are not affected. The vulnerability is due to the introduction into the Linux 2.4.20 kernel of a new generic linked list implementation. The reliance on the previous linked list implementation resulted in a condition which could result in a denial of service.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Red Hat security advisory RHSA-2003:172-27 also includes fixes for this issue. RHBA-2003:263-05 (for non-Enterprise Red Hat distributions) has been released to address unrelated bugs but provides Kernel updates that include more recent fixes for this and other security vulnerabilities.

NetFilter has issued a patch:


RedHat kernel-2.4.18-3.i686.rpm

RedHat kernel-doc-2.4.18-14.i386.rpm

RedHat kernel-2.4.2-2.i386.rpm

RedHat kernel-BOOT-2.4.2-2.i386.rpm

RedHat kernel-2.4.7-10.i386.rpm

RedHat kernel-source-2.4.18-14.i386.rpm

RedHat kernel-bigmem-2.4.18-14.i686.rpm

RedHat kernel-2.4.18-3.athlon.rpm

RedHat kernel-BOOT-2.4.7-10.i386.rpm

RedHat kernel-doc-2.4.2-2.i386.rpm

RedHat kernel-2.4.20-8.athlon.rpm

RedHat kernel-source-2.4.2-2.i386.rpm

RedHat kernel-2.4.18-3.i386.rpm

RedHat kernel-2.4.7-10.athlon.rpm

RedHat kernel-bigmem-2.4.18-3.i686.rpm

RedHat kernel-doc-2.4.18-3.i386.rpm

RedHat kernel-source-2.4.7-10.i386.rpm

RedHat kernel-2.4.18-14.i586.rpm

RedHat kernel-BOOT-2.4.20-8.i386.rpm

RedHat kernel-2.4.18-14.i686.rpm

RedHat kernel-2.4.20-8.i586.rpm

RedHat kernel-2.4.7-10.i686.rpm

RedHat kernel-doc-2.4.20-8.i386.rpm

RedHat kernel-2.4.18-14.athlon.rpm

RedHat kernel-bigmem-2.4.20-8.i686.rpm

RedHat kernel-BOOT-2.4.18-14.i386.rpm

RedHat kernel-2.4.2-2.i686.rpm

RedHat kernel-source-2.4.20-8.i386.rpm

RedHat kernel-2.4.20-8.i686.rpm

RedHat kernel-BOOT-2.4.18-3.i386.rpm

RedHat kernel-2.4.2-2.i586.rpm

RedHat kernel-doc-2.4.7-10.i386.rpm

Linux kernel 2.4.20

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站