bugzilla-daemon at netfilter.org
2024-May-28 14:30 UTC
[Bug 1753] New: Netfilter does not check the sequence number strictly, a spoofed TCP RST packet with an in-window sequence number can cause the change of the mapping state
https://bugzilla.netfilter.org/show_bug.cgi?id=1753
Bug ID: 1753
Summary: Netfilter does not check the sequence number strictly,
a spoofed TCP RST packet with an in-window sequence
number can cause the change of the mapping state
Product: netfilter/iptables
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: nf_conntrack
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: yangyx22 at mails.tsinghua.edu.cn
We discover a fundamental vulnerability in Netfilter when it receives spoofed
TCP RST packets, which can be exploited by a malicious insider to conduct a TCP
hijacking attack to other clients under the same NAT device. The root cause
resides in the insufficient validation of TCP sequence numbers of TCP reset
packets received by Netfilter.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240528/b2cc1bfb/attachment.html>
bugzilla-daemon at netfilter.org
2024-May-28 14:32 UTC
[Bug 1753] Netfilter does not check the sequence number strictly, a spoofed TCP RST packet with an in-window sequence number can cause the change of the mapping state
https://bugzilla.netfilter.org/show_bug.cgi?id=1753 --- Comment #1 from yangyx22 at mails.tsinghua.edu.cn --- Created attachment 743 --> https://bugzilla.netfilter.org/attachment.cgi?id=743&action=edit The detailed vulnerability and the steps to reproduce it -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240528/d713bbff/attachment.html>