Normal users can send forged packets out of a Linux system - for NFS attacks or other protocols relying on IP addresses for authentication - even when protected from the outside interfaces by firewalling rules. Most of the time, existing firewalling rules are bypassed. This attack requires only a shell account on the system.
Credit:
This vulnerability and fix information was provided by: Marc SCHAEFER.
Although regular users should be able to form raw IP packets under Linux, any local user can build and send any packet to any host from most Linux systems without needing to exploit a suid flaw. Basically, it corresponds to having a 'write only' permissions to raw IP socket on the server machine.
You are immune to this problem if one (or more) of the following is true:
- you do not have local (shell) users
- SLIP and PPP are not compiled in the kernel and either are not available in /lib/modules/* as modules, or are never loaded and kerneld/kmod is not available.
- you use deny-default configuration for your input firewall rules, and you don't have accept entries for specific addresses or for unused ppp or slip interfaces (and the used ones are never unused or accept rules are safely removed at shutdown).
- you use 2.3.18 with ac6 patch (or higher).
- you use 2.2.13pre15 (or higher).
Workaround:
- Make so that SLIP and PPP support are not available
- Use deny default policy for input firewall, only allow for specific address ranges and specific interfaces. For dynamic links (such as SLIP or PPP), add an 'accept' rule at link creation time, and remove the entry when the link goes down.
Fix:
- For 2.3.x, install 2.3.18 with the ac6 patch (or higher). Warning, this is a DEVELOPMENT kernel.
- For 2.2.x, install 2.2.13pre15 or higher (e.g. 2.2.13).
- At this time no fix for 2.0.x is available. Please apply the above mentioned workarounds.
