CVE-2014-8160 iptables restriction bypass (rhbz 1182059 1182063)

2015-01-15 08:19:17 -05:00 · 2015-01-15 08:19:17 -05:00 · a77899c5d1
parent 1578b2969a
commit a77899c5d1
2 changed files with 100 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -783,6 +783,9 @@ Patch26131: acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
 #CVE-2014-9585 rhbz 1181054 1181056
 Patch26132: x86_64-vdso-Fix-the-vdso-address-randomization-algor.patch

+#CVE-2014-8160 rhbz 1182059 1182063
+Patch26133: netfilter-conntrack-disable-generic-tracking-for-kno.patch
+
 # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
 Patch30000: kernel-arm64.patch

@ -1536,6 +1539,9 @@ ApplyPatch acpi-video-Add-disable_native_backlight-quirk-for-Sa.patch
 #CVE-2014-9585 rhbz 1181054 1181056
 ApplyPatch x86_64-vdso-Fix-the-vdso-address-randomization-algor.patch

+#CVE-2014-8160 rhbz 1182059 1182063
+ApplyPatch netfilter-conntrack-disable-generic-tracking-for-kno.patch
+
 %if 0%{?aarch64patches}
 ApplyPatch kernel-arm64.patch
 %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@ -2354,6 +2360,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Thu Jan 15 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-8160 iptables restriction bypass (rhbz 1182059 1182063)
+
 * Mon Jan 12 2015 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2014-9585 ASLR brute-force possible for vdso (rhbz 1181054 1181056)
 - Backlight fixes for Samsung and Dell machines (rhbz 1094948 1115713 1163574)
--- a/netfilter-conntrack-disable-generic-tracking-for-kno.patch
+++ b/netfilter-conntrack-disable-generic-tracking-for-kno.patch
@ -0,0 +1,91 @@
+From db29a9508a9246e77087c5531e45b2c88ec6988b Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 26 Sep 2014 11:35:42 +0200
+Subject: [PATCH] netfilter: conntrack: disable generic tracking for known
+ protocols
+
+Given following iptables ruleset:
+
+-P FORWARD DROP
+-A FORWARD -m sctp --dport 9 -j ACCEPT
+-A FORWARD -p tcp --dport 80 -j ACCEPT
+-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT
+
+One would assume that this allows SCTP on port 9 and TCP on port 80.
+Unfortunately, if the SCTP conntrack module is not loaded, this allows
+*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
+which we think is a security issue.
+
+This is because on the first SCTP packet on port 9, we create a dummy
+"generic l4" conntrack entry without any port information (since
+conntrack doesn't know how to extract this information).
+
+All subsequent packets that are unknown will then be in established
+state since they will fallback to proto_generic and will match the
+'generic' entry.
+
+Our originally proposed version [1] completely disabled generic protocol
+tracking, but Jozsef suggests to not track protocols for which a more
+suitable helper is available, hence we now mitigate the issue for in
+tree known ct protocol helpers only, so that at least NAT and direction
+information will still be preserved for others.
+
+ [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html
+
+Joint work with Daniel Borkmann.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/nf_conntrack_proto_generic.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
+index d25f29377648..957c1db66652 100644
+--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
+@@ -14,6 +14,30 @@
+ 
+ static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
+ 
+static bool nf_generic_should_process(u8 proto)
+{
+	switch (proto) {
+#ifdef CONFIG_NF_CT_PROTO_SCTP_MODULE
+	case IPPROTO_SCTP:
+		return false;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_DCCP_MODULE
+	case IPPROTO_DCCP:
+		return false;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_GRE_MODULE
+	case IPPROTO_GRE:
+		return false;
+#endif
+#ifdef CONFIG_NF_CT_PROTO_UDPLITE_MODULE
+	case IPPROTO_UDPLITE:
+		return false;
+#endif
+	default:
+		return true;
+	}
+}
+
+ static inline struct nf_generic_net *generic_pernet(struct net *net)
+ {
+ 	return &net->ct.nf_ct_proto.generic;
+@@ -67,7 +91,7 @@ static int generic_packet(struct nf_conn *ct,
+ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
+ 			unsigned int dataoff, unsigned int *timeouts)
+ {
+-	return true;
+	return nf_generic_should_process(nf_ct_protonum(ct));
+ }
+ 
+ #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+-- 
+2.1.0
+