[Bug 899200] [NEW] iptables-save fails to store network prefix length in dump

Fri, 02 Dec 2011 07:15:47 -0800 

*** This bug is a security vulnerability ***

Public security bug reported:

With kernel 2.6.32-35-generic and lucid iptables iptables-save does not
save the real iptables entries currently active in nat table, at least
the conntrack match entries  --ctorigdst with network are corrupted.

>From my opinion, this should have only mild security implications and
might only be observed on machines with paranoid rulesets, as conntrack
in nat might not be a common usecase. As soon as broken source code was
found, impact on other rules should be reevaluated.

In worst case, this bug might lead to service interruption (our case) or
bypass of access restrictions when restoring rules exported with broken
"iptables-save"

How to detect:

iptables -t nat -A POSTROUTING -p tcp -m conntrack --ctorigdst 192.168.0.0/24 
-j SNAT --to-source 192.168.1.1
# iptables-save -t nat | grep POSTR
:POSTROUTING ACCEPT [87:5264]
-A POSTROUTING -p tcp -m conntrack --ctorigdst 192.168.0.0 -j SNAT --to-source 
192.168.1.1

As one can see, the network prefix in the ctorigdst was lost during
save, so rule is not the same after save, restore will restore broken
rule.

On kernel version 2.6.38-12-generic and Ubuntu oneiric iptables,
everything works as expected, so bug must already be fixed in oneiric.

Bug on lucid:

# lsb_release -rd
Description:    Ubuntu 10.04.3 LTS
Release:        10.04

# apt-cache policy iptables
iptables:
  Installed: 1.4.4-2ubuntu2
  Candidate: 1.4.4-2ubuntu2
  Version table:
 *** 1.4.4-2ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
        100 /var/lib/dpkg/status

** Affects: iptables (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/899200

Title:
  iptables-save fails to store network prefix length in dump

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/899200/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to