[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

RE: URGENT! Linux 2.2.10 ipchains Advisory



Raju:

Thanks for the warning.

I would just like to point out to everyone that there is not need to panic
if you use RedHat Linux and are using the default shipped kernel (i.e. you
have not compiled your own), since the RHL default kernels are compiled with
CONFIG_IP_ALWAYS_DEFRAG turned on.

Also, if you have rebuilt a kernel from RHL's kernel source RPMs, you need
not worry because RH patched the kernel source to disallow IP Masquerading
when IP_DEFRAG is not turned on (Versions 5.2 and 6.0).

If you have compiled your own kernel (or are using another distribution) and
want to check if CONFIG_IP_ALWAYS_DEFRAG was enabled, then use the following
command to find out:

grep CONFIG_IP_ALWAYS_DEFRAG /usr/src/linux/.config

you should see "CONFIG_IP_ALWAYS_DEFRAG=y", in which case you have nothing
to worry about.

Atul

p.s. Can someone using Debian, Suse, Slackware, etc. check on what the state
of CONFIG_IP_ALWAYS_DEFRAG in the default kernels shipped with those distros
and let us know?

> -----Original Message-----
> From: Majordomo [mailto:majordom@xxxxxxxxx]On Behalf Of Thomas Lopatic
> Sent: Wednesday, July 28, 1999 8:40 AM
> To: BUGTRAQ@xxxxxxxxxxxxxxxxx
> Subject: URGENT! Linux 2.2.10 ipchains Advisory
>
>
> This vulnerability information might be relevant to some of us.
>
> In a nutshell (or should that be rootshell? :), firewalling with
> Ipchains in 2.2 kernels so far isn't as bullet-proof as we thought.
> It is possible for an attacker to send specially-constructed
> fragmented IP packets to a Linux host running Ipchains which bypass
> the normal Ipchains security mechanism.  I expect to see a fix for
> this in 2.2.11, Insh'Allah and Insh'Alan.
>
> Quick fixes:
>
> 1.  Recompile your kernel with CONFIG_IP_ALWAYS_DEFRAG defined (I
> always do that anyway, so I'm fine :-)
>
> OR
>
> 2.  Apply the patch given in this message and then recompile your
> kernel.
>
> I personally would trust the first option.
>
> Regards,
>
> -- Raju


- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
The Linux India mailing list does not accept postings in HTML format.

------------------------------