IPTables FTP Stateful Inspection Arbitrary Filter Rule Insertion Vulnerability

The Linux kernel includes a built-in firewall implementation called IPTables. IPTables supports stateful inspection of several application protocols, one of which is FTP. The inspection is used to facilitate outgoing PORT connections for FTP data transfers when clients or servers are behind firewalls.

When a FTP PORT command containing an IP address which differs from the client's is processed by the stateful-inspection module, the occurrance is caught. Despite being detected, the condition is handled erroneously causing an entry for the PORT connection to be inserted into the table of 'RELATED' connections. This temporarily permits traffic through the firewall from the FTP server to the destination included in the PORT command.

An attacker may be able to use this vulnerability to access unauthorized hosts from the FTP server.

It should be noted that clients do not need to authenticate to exploit this vulnerability.


Privacy Statement
Copyright 2010, SecurityFocus