LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-22-2004, 05:34 AM   #1
/bin/bash
Senior Member
 
Registered: Jul 2003
Location: Indiana
Distribution: Mandrake Slackware-current QNX4.25
Posts: 1,802

Rep: Reputation: 46
2.6 DoS Vulnerability!


Turn off iptables logging now until the fix (update to kernel >= 2.6.8) is made.

The story appeared on TheAge

Quote:
Linux users running a 2.6 series kernel and using iptables for firewalling have been advised to upgrade to fix a bug which could be exploited remotely to cause a denial of service.

The bug, discovered by Richard Hart, does not affect the 2.4 series kernel.

It is caused by an integer underflow problem in the iptables firewall logging rules and can allow a remote attacker to crash the machine by using a handcrafted IP packet.

The attack is only possible if firewalling is enabled in the kernel.

An advisory from Linux company SUSE said a workaround was to disable firewall logging of IP and TCP options.

However, a kernel update was recommended, the advisory said.

HERE is the security announcement from Suse.

Last edited by /bin/bash; 10-24-2004 at 07:44 AM.
 
Old 10-23-2004, 12:33 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Additional advisory info: http://secunia.com/advisories/11202/
 
Old 10-23-2004, 07:46 PM   #3
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Re: 2.6 DoS Vulnerability!

Quote:
Originally posted by /bin/bash
The attack is only possible if firewalling is enabled in the kernel.
So does that mean that if iptables is loaded as a module (i.e. not built in to the kernel), you aren't vulnerable?
 
Old 10-24-2004, 04:18 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
So does that mean that if iptables is loaded as a module (i.e. not built in to the kernel), you aren't vulnerable?
You are vulnerable.

It apparently is about the part of the Netfilter framework code that logs (IP and TCP) protocol options.
Therefore it does not matter if it is built in into the kernel or loaded as module.

Upgrading the kernel is your only option.
The workaround is to disable all logging of IP and TCP options (see SuSE advisory).
 
Old 10-24-2004, 02:42 PM   #5
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Another fun day spend upgrading kernels on multiple servers.
 
Old 10-25-2004, 01:55 PM   #6
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
Edit: oops... already been answered.. ignore me.
 
Old 02-10-2005, 11:26 AM   #7
eech55
LQ Newbie
 
Registered: Aug 2004
Posts: 23

Rep: Reputation: 15
this is why i like freebsd
 
Old 02-13-2005, 05:48 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by eech55
this is why i like freebsd
Why? Cause it didn't have a remote denial of service vulnerability last year involving packet handling?

ftp://ftp.freebsd.org/pub/FreeBSD/CE...-04:04.tcp.asc

Probably could have picked alot better things to flame about.
 
Old 02-14-2005, 08:27 AM   #9
vhh
LQ Newbie
 
Registered: Jan 2005
Posts: 11

Rep: Reputation: 0
Sorry, Ignore me pls.

Last edited by vhh; 02-14-2005 at 08:33 AM.
 
Old 04-10-2005, 12:23 PM   #10
nanoprobe
LQ Newbie
 
Registered: Jan 2005
Location: Netherlands
Distribution: Suse 9.1/10
Posts: 29

Rep: Reputation: 15
Re: 2.6 DoS Vulnerability! slash Yast update

Running the Yast update on Suse solve this problems?

Automatically updating the kernel...
 
Old 04-10-2005, 03:34 PM   #11
Pcghost
Senior Member
 
Registered: Feb 2003
Location: The Real Washington
Distribution: Ubuntu, Debian, SuSE, UnSlung, Android
Posts: 1,819

Rep: Reputation: 46
Running YOU will likely fix the issue, if SuSE has released a patch for it. Check the SuSE site for what security patches they are putting out or instructions related to the vulnerability.
 
Old 04-10-2005, 11:33 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Moderator note: Merging this thread with the original. Please respond to it there rather than starting a new thread. Thanks.
 
Old 06-03-2005, 07:45 PM   #13
Odins_Son
LQ Newbie
 
Registered: Nov 2004
Location: Salem
Distribution: debian unstable
Posts: 18

Rep: Reputation: 0
Quote:
Originally posted by Capt_Caveman
Why? Cause it didn't have a remote denial of service vulnerability last year involving packet handling?

ftp://ftp.freebsd.org/pub/FreeBSD/CE...-04:04.tcp.asc

Probably could have picked alot better things to flame about.

ha!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
phpBB Vulnerability Capt_Caveman Linux - Security 6 10-08-2005 01:22 PM
Dos Emulator without Dos dtheorem Linux - Software 1 10-14-2003 02:18 PM
Dos Emulator without Dos dtheorem Linux - Software 1 10-14-2003 01:52 PM
This looks interesting, spoofed IGMP report DoS vulnerability neo77777 Linux - Security 1 06-21-2002 08:13 AM
UPnP vulnerability in XP anoop_chandran General 13 01-08-2002 01:01 AM


All times are GMT -5. The time now is 07:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration