• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Linux IPChains Fragment Overlap Vulnerability

Severity: HIGH

Description:

There is a vulnerability in the linux firewall implementation in kernels 2.2.0 and above (IPChains). The vulnerability allows for an attacker to possibly send data to a blocked port. When a fragment is sent to a non-filtered port on a firewall with the IP_MF bit set and an offset of 0 with a full tcp header inside, it's possible to overlap the tcp port information. It is done by sending another fragment with an offset of 0, the IP_MF bit set and a length of 4 with the destination port number information. What happens is the following: when fragment A is sent to the firewall, it's passed onto the target host assuming it's going to the allowed port in the tcp header included in the fragment. The second fragment is sent along it's way as well, only to overlap the port information in the first while inside the reassembly chain. To finish off the attack, a fragment is sent with a normal offset (relative to the initial fragment) and an unset IP_MF bit. There are two conditions which need to be met to make this vulnerability exploitable: the linux kernel doing the firewalling needs to be configured so that defragmentation does not occur before passing through the filters and the firewall must allow non-first fragments to pass through.

The first two fragments sent may need to be reversed depending on the defragmentation implementation of the target host operating system.

Affected Products:

• Caldera OpenLinux 2.3.0
• Linux kernel 2.2.0
• Linux kernel 2.2.10

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.