From bugzilla@redhat.com Fri May 10 00:14:50 2002 From: bugzilla@redhat.com To: redhat-watch-list@redhat.com Cc: bugtraq@securityfocus.com, linux-security@redhat.com, security@redhat.com Date: Thu, 9 May 2002 09:46 -0400 Subject: [RHSA-2002:086-05] Netfilter information leak [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] --------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Netfilter information leak Advisory ID: RHSA-2002:086-05 Issue date: 2002-05-08 Updated on: 2002-05-09 Product: Red Hat Linux Keywords: netfilter iptables icmp nat Cross references: Obsoletes: --------------------------------------------------------------------- 1. Topic: Netfilter ("iptables") can leak information about how port forwarding is done in unfiltered ICMP packets. The older "ipchains" code is not affected. This bug only affects users using the Network Address Translation features of firewalls built with netfilter ("iptables"). Red Hat Linux's firewall configuration tools use "ipchains," and those configurations are not vulnerable to this bug. 2. Relevant releases/architectures: 3. Problem description: Systems using the netfilter ("iptables") Network Address Translation (NAT) capabilities are subject to the following bug: When a NAT rule applies to the first packet of a connection and that packet later causes the system to generate an ICMP error message, the ICMP error message is sent out with translated addresses included. This address information incorrectly gives the IP address to which the connection would have been forwarded if the ICMP error message was not generated, which exposes information about the netfilter configuration (which ports are being translated) and about the network topology (which address the ports are being forwarded to). Also, the incorrect ICMP packets may be dropped by other intervening stateful firewalls as malformed packets. ICMP error packets generated by the host being routed to are not affected by this bug. The firewall configuration generated by Red Hat Linux's firewall configuration tools uses ipchains, not iptables; thus, default configurations of Red Hat Linux are not affected by this bug. 4. Solution: Unfortunately, this problem currently has no clean fix, but while a clean fix is being worked on, there is a sufficient workaround: Filter out untracked local icmp packets using the following command: iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: CARTSA-20020402 (http://www.cartel-securite.fr/) Thanks to Philippe Biondi Copyright(c) 2000, 2001, 2002 Red Hat, Inc.