[Bug 1753] New: Netfilter does not check the sequence number strictly, a spoofed TCP RST packet with an in-window sequence number can cause the change of the mapping state

Tue May 28 16:30:29 CEST 2024

https://bugzilla.netfilter.org/show_bug.cgi?id=1753

            Bug ID: 1753
           Summary: Netfilter does not check the sequence number strictly,
                    a spoofed TCP RST packet with an in-window sequence
                    number can cause the change of the mapping state
           Product: netfilter/iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nf_conntrack
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: yangyx22 at mails.tsinghua.edu.cn

We discover a fundamental vulnerability in Netfilter when it receives spoofed
TCP RST packets, which can be exploited by a malicious insider to conduct a TCP
hijacking attack to other clients under the same NAT device. The root cause
resides in the insufficient validation of TCP sequence numbers of TCP reset
packets received by Netfilter.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240528/b2cc1bfb/attachment.html>