[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-2663: Linux netfilter: nf_conntrack_irc message handling
From: David Leadbeater <dgl () dgl ! cx>
Date: 2022-08-30 2:27:44
Message-ID: CAP9KPhDskZ1W_wnJ_Z8sNY9nqwLGyL0k3pjYwrhJ_TQnXcC-HA () mail ! gmail ! com
[Download RAW message or body]
Description:
I've found an issue in nf_conntrack_irc where the message handling can
be confused and it incorrectly matches on the message.
Impact:
A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured.
Mitigations:
Linux: Disable nf_conntrack_irc (remove any --helper irc rules, and/or
unload the kernel module)
MikroTik: Remove IRC from the service ports list (/ip
firewall/service-port/disable irc)
Fix is posted here:
https://lore.kernel.org/netfilter-devel/20220826045658.100360-1-dgl@dgl.cx/T/
It will be making its way into upstream Linux soon.
I'll update in a couple of days with complete details.
David
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic