Anatomy of an IP Fragmentation Vulnerability in Linux IPChains: Investigating Common Vulnerabilities and Exposures (CVE) Candidate Vulnerability CAN-1

This paper investigates a potential IP fragmentation vulnerability in Linux IPChains. A candidate vulnerability is one that has been identified, but has not yet been tested to establish whether it can be used to breach a system. The aim of this paper is to do exactly that: to establish whether or not this potential vulnerability can be used to compromise the security of a Linux IPChains firewall. The candidate IP fragmentation vulnerability in question allows an attacker to bypass a Linux IPChains firewall by accessing ports on an internal network host that should be blocked by the firewall. Because of a glitch in IPChains code, an attacker can use IP fragmentation to disguise traffic that's prohibited by the firewall rules as traffic that is allowed. After conducting a series of experiments, it appears that this is an actual vulnerability in IPChains. Whether it is exploitable, on the other hand, could not be shown. It was possible for a custom-made fragmented FTP SYN packet to reach an internal host running Red Hat Linux 8.0 and protected by a Linux Mandrake 6.0 IPChains firewall, although the firewall rules deny FTP traffic. However, the internal host did not issue a reply due to a failure to re-assemble the packet fragments.