-   Linux - Networking (
-   -   udp vulnerability (nessus report) (

wedgeworth 05-06-2004 01:45 PM

udp vulnerability (nessus report)
one of my security vulnerabilities i got back in my audit report is:

It is possible to by-pass the rules of the remote firewall
by sending UDP packets with a source port equal to 53.

An attacker may use this flaw to inject UDP packets to the remote
hosts, in spite of the presence of a firewall.

Solution : Review your firewall rules policy
Risk Factor : High
BID : 7436

i have udp rejected under ipchains leaving access to only computers that have certain ip address .... aka a known "safe list" of servers that i know (example: our dns server). since i've "corrected" the problem above by blocking all udp's and accepting only known ip's; then why is my report still showing up under nessus's audit report?.... even though all udp stuff is blocked.

chort 05-06-2004 02:51 PM

Are you running Nessus from a computer that's on the "Safe List"? Remember that it's not the machine running the Nessus client that actually scans, it's the machine running Nessus daemon.

The other possibility is that it might be a poorly written probe that just assumes that any UDP packet that doesn't generate an ICMP port-unreachable did actually go through. If your firewall is dropping UDP packets rather than rejecting them, it would *appear* that they've been accepted (because no ICMP error) but it was actually dropped.

wedgeworth 05-06-2004 04:08 PM

nope....i'm not running my nessus server from a "friendly". else it would get past my firewall and report loads of stuff that are actually sealed off. that's the first thing we made sure of.

wedgeworth 05-10-2004 03:58 PM


i don't ever drop in my firewall. i only accept and reject. so i'm still not sure why it keeps reporting this vul. presently, i drop both udp and icmp packets in my ipchains. however, this error was happening on my servers before i rejected the icmp packets. any idea why this vul. is still showing up?

unSpawn 05-10-2004 05:00 PM

Basically it means if you don't restrict inbound traffic with a source port of UDP/53 to only come from legitimate DNS servers someone could forge access by specifiying source port UDP/53.

chort 05-10-2004 06:18 PM

Maybe it would clarify things if you posted your firewall rules so we can tell exactly what's going on.

chort 05-11-2004 01:40 AM

Hmm, based on another recent post, I'm guessing you're running Red Hat with "lokkit". That pathetic excuse for a firewall allows all packets (to any address, /boggle) with a source port of 53/udp. That's supposed to allow DNS lookups, but that is the absolute worst way to attempt letting them through the firewall.

Someone could quiet easily scan and attack all your open UDP ports on the machine, right through your firewall, by simply using port 53/udp as the source for each datagram.

wedgeworth 05-11-2004 07:59 AM

"Basically it means if you don't restrict inbound traffic with a source port of UDP/53 to only come from legitimate DNS servers someone could forge access by specifiying source port UDP/53."

my last three entries in my ipchains is this:

# everyone else
-A input -p tcp -j REJECT -l
-A input -p udp -j REJECT -l
-A input -p icmp -j REJECT -l

therefore i have restricted inbound traffic. so as far as my dns server is conserned. it is allowed based on it's ip address. so udp can be blocked for everone else.

"I'm guessing you're running Red Hat with "lokkit"
i don't know if lokkit is what i'm running. after looking for it i found this:

# find . -name "*lokkit*"

but since i only use command line i don't think that i've used it. i had the above entries directly in my ipchains table. is lokkit still going to allow the vulnerability you were talking about?

chort 05-11-2004 01:34 PM

Those reject rules are only your default, though. iptables is first match, so whatever comes above that is what's really important. That's why I suggested that you post your entire firewall ruleset.

wedgeworth 05-12-2004 04:05 PM

here is what my ipchains look like. hopefully this will help.

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward REJECT
:output ACCEPT

# DNS servers
-A input -p tcp -s domain -j ACCEPT

# reject for "register.asp" spam
-A input -p tcp -s -j REJECT

# incoming ssh
#-A input -d 0/0 ssh -p tcp -j ACCEPT

# return from outgoing ssh
#-A input -s 0/0 ssh -p tcp -j ACCEPT

# return from outgoing chatterbox info connection
#-A input -s 0/0 4443 -p tcp -j ACCEPT

# incoming http/https
-A input -d 0/0 http -p tcp -j ACCEPT
-A input -d 0/0 https -p tcp -j ACCEPT

# return from outgoing http/https
-A input -s 0/0 http -p tcp -j ACCEPT
-A input -s 0/0 https -p tcp -j ACCEPT

# return from outgoing smtp
-A input -s 0/0 smtp -p tcp -j ACCEPT

# incoming smtp (temp)
-A input -d 0/0 smtp -p tcp -j ACCEPT

# return from outgoing mysql
-A input -s 0/0 mysql -p tcp -j ACCEPT

# localhost
-A input -i lo -j ACCEPT

# office IP
-A input -s xx.xx.xx.xx -j ACCEPT

# mail server
-A input -s xx.xx.xx.xx -j ACCEPT

# another server
-A input -s xx.xx.xx.xx -j ACCEPT

# somebody's home ip
-A input -s xx.xx.xx.xx -j ACCEPT

# everyone else
-A input -p tcp -j REJECT -l
-A input -p udp -j REJECT -l
-A input -p icmp -j REJECT -l

chort 05-13-2004 03:04 AM

You firewall looks sound (brief glance, certainly nothing to cause a UDP hole), so I looked at the source of that particular Nessus plugin

Now I'm not familiar with the Nessus plugin syntax, and I'm also not a brilliant TCP/IP programmer, but it appears to me that the plugin is simply looking for an ICMP "unreachable" error (any of the type 3 codes). Since you're using reject rather than drop for your default, it will return an ICMP unreachable error in response to UDP datagrams, thus I believe this to be a false positive. You can easily make that determination by changing
-A input -p udp -j REJECT -l
-A input -p udp -j DROP -l

And rerunning that particular Nessus plugin.

wedgeworth 05-13-2004 10:41 AM


wedgeworth 05-13-2004 10:49 AM

unfortunately this does not seem to be the problem. after trying your test:

# everyone else
-A input -p tcp -j REJECT -l
#-A input -p udp -j REJECT -l
-A input -p udp -j DROP -l
-A input -p icmp -j REJECT -l

[]# /etc/rc.d/init.d/ipchains restart
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying ipchains firewall rules: Auto-creating chain DROP
[ OK ]

changing the REJECT to a DROP, restarted ipchains, i then reran my audit. not only did the same udp error still remain. but new errors (some sunrpc port 111/tcp errors and some unknown erros from port 32768/udp) have not been added to my audit. these last errors were not there when i was REJECTing udp instead of DROPing

chort 05-13-2004 02:43 PM

Well I'd have to look at those plugins too, but I would assume that they base their errors on the fact that the packets did not get rejected (for ports 111 and 32768).

By the way, on second inspection your firewall is a bit lacking. You're using a stateless packet filter so you are allowing return traffic excplicitly, but not requiring that ACK be set. This means that sneaking packets through would be trivial (by using the correct source port). You should look into using the ESTABLISHED and RELATED keywords in your rules to cover all existing and related connection traffic and not open yourself to attacks originating from specially choosen source ports.

wedgeworth 05-13-2004 02:58 PM

you mean i should change to from ipchains to iptables (iptables is stateful packet filtering right?) you can't do such things with ipchains (which is what i'm using right now).

i just wish that i knew that the error was false. that there is no udp error under port 53. that i've blocked it. that only those ip's that i've allowed will be able to reach it. that is is nessus presumptive code that assumes that there is a vulnerability, and that i knew what this assumption was.....

All times are GMT -5. The time now is 01:22 PM.