[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-2663: Linux netfilter: nf_conntrack_irc message handling
From:       David Leadbeater <dgl () dgl ! cx>
Date:       2022-08-30 2:27:44
Message-ID: CAP9KPhDskZ1W_wnJ_Z8sNY9nqwLGyL0k3pjYwrhJ_TQnXcC-HA () mail ! gmail ! com
[Download RAW message or body]

Description:

I've found an issue in nf_conntrack_irc where the message handling can
be confused and it incorrectly matches on the message.

Impact:

A firewall may be able to be bypassed when users are using unencrypted
IRC with nf_conntrack_irc configured.

Mitigations:

Linux: Disable nf_conntrack_irc (remove any --helper irc rules, and/or
unload the kernel module)
MikroTik: Remove IRC from the service ports list (/ip
firewall/service-port/disable irc)

Fix is posted here:
https://lore.kernel.org/netfilter-devel/20220826045658.100360-1-dgl@dgl.cx/T/
It will be making its way into upstream Linux soon.

I'll update in a couple of days with complete details.

David
[prev in list] [next in list] [prev in thread] [next in thread]