Bugzilla – Bug 100428
VUL-0: CVE-2005-2457: kernel: wrong return value in ip_conntrack_core
Last modified: 2021-11-10 10:58:32 UTC
We received the following report via vendor-sec. This issue is not public yet, please keep any information about it inside SUSE. We don't have ip_conntrack_pptp but since it's triggered by a bug in ip_conntrack_core we should include that part of the patch IMHO. Date: Wed, 03 Aug 2005 09:56:18 +0200 From: Stephan Scholz <sscholz@astaro.com> To: vendor-sec@lst.de Cc: Markus Hennig <mhennig@astaro.com>, Gert Hansen <ghansen@astaro.com>, Holger Eitzenberger <heitzenberger@astaro.com>, Harald Welte <laforge@gnumonks.org> Subject: [vendor-sec] Netfilter / PPTP conntrack helper kernel oops Subject: Netfilter / PPTP conntrack helper kernel oops Released: 03 August 2005 Effects: By creating several Call Requests within the same PPTP connection, the PPTP conntrack helper ip_conntrack_pptp can lead to a kernel oops. TCP port 1723 must be open either through or to the firewall, and the ip_conntrack_pptp helper needs to be loaded. Note that the PPTP conntrack helper is not part of the vanilla kernel but available via netfilter patch-o-matic. The error is in ip_conntrack_core.c in function ip_conntrack_expect_related() and ip_conntrack_pptp.c in function exp_gre(). ip_conntrack_expect_related() falsely returns an error, which causes the GRE conntrack entry to be freed. This leads to a kernel oops. Even though the error is in ip_conntrack_core, currently only the PPTP conntrack helper triggers this problem. The vulnerability can be exploited by using the PPTP Bruter tool, which is actually a password cracker against Microsoft PPTP servers but which triggers this problem unintentionally. The kernel can be crashed by using this tool either directly against the machine or against a machine behind it. The tool can be retrieved from the following location: http://www.thc.org/download.php?t=r&f=thc-pptp-bruter-0.1.4.tar.gz Estimated Severity: High Systems Affected: Linux kernels with ip_conntrack_pptp module loaded Solution: 1. Apply the patch below. or 2. Remove the PPTP conntrack helper ip_conntrack_pptp kernel module Contact: Harald Welte <laforge@gnumonks.org> Stephan Scholz <sscholz@astaro.com> Patch for kernel 2.6 -------------------- Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c =================================================================== --- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c +++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c @@ -1015,7 +1015,6 @@ struct ip_conntrack *related_to) { struct ip_conntrack_expect *old; - int ret = 0; WRITE_LOCK(&ip_conntrack_lock); /* Because of the write lock, no reader can walk the lists, @@ -1090,7 +1089,6 @@ * related_to->expecting. */ unexpect_related(old); - ret = -EPERM; } else if (LIST_FIND(&ip_conntrack_expect_list, expect_clash, struct ip_conntrack_expect *, &expect->tuple, &expect->mask)) { @@ -1107,7 +1105,7 @@ CONNTRACK_STAT_INC(expect_create); - return ret; + return 0; } /* Change tuple in an existing expectation */ Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_pptp.c =================================================================== --- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_pptp.c +++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_pptp.c @@ -237,7 +237,6 @@ if (ip_conntrack_expect_related(exp, master) != 0) { ip_ct_gre_keymap_destroy(exp); - ip_conntrack_expect_put(exp); DEBUGP("cannot expect_related()\n"); return 1; } Patch for kernel 2.4 -------------------- --- linux-2.4/net/ipv4/netfilter/ip_conntrack_core.c +++ linux-2.4.conntrack_pptp/net/ipv4/netfilter/ip_conntrack_core.c @@ -939,7 +939,6 @@ struct ip_conntrack_expect *expect) { struct ip_conntrack_expect *old, *new; - int ret = 0; WRITE_LOCK(&ip_conntrack_lock); /* Because of the write lock, no reader can walk the lists, @@ -1021,7 +1020,6 @@ * related_to->expecting. */ unexpect_related(old); - ret = -EPERM; } else if (LIST_FIND(&ip_conntrack_expect_list, expect_clash, struct ip_conntrack_expect *, &expect->tuple, &expect->mask)) { @@ -1061,7 +1059,7 @@ WRITE_UNLOCK(&ip_conntrack_lock); - return ret; + return 0; } /* Change tuple in an existing expectation */ _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Created attachment 44578 [details] mail as attachment
olaf says it is fine. we should however test connection tracking afterwards.
Is this public already? Can we publish the fix?
Kernels 2.6.11 and later seem unaffected by this.
Created attachment 46143 [details] Patch for 9.3
sorry, the above should have read Patch for sles9
Patch submitted to SLES9 SP2, SP3
not public however. but leave it in, it is stale already.
only really affected ip_pptp, which we do not ship. From: Stephan Scholz <sscholz@astaro.com> That's right, it is not an issue with the vanilla kernel. Even though there was a bug in the conntrack core, this only lead to problems in combination with the pptp conntrack helper. Other components or helpers were not affected, so it's basically patch-o-matic +only.
-> tracking
all applied.
released.
*** Bug 157903 has been marked as a duplicate of this bug. ***