CVE-2012-2663

Impact:
Moderate
Public Date:
2011-12-02
Bugzilla:
826702: CVE-2012-2663 iptables: --syn flag bypass

The MITRE CVE dictionary describes this issue as:

extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant.

Find out more about CVE-2012-2663 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue does affect Red Hat Enterprise Linux 5 and 6.

The risks in breaking compatability associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 5 and 6.

Please note that the remote DoS issue in the way how Linux kernel treats SYN+FIN flags set is being handled under different CVE, CVE-2012-6638, and is planned to be fixed in all affected Red Hat Enterprise Linux releases.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 6.4
Base Metrics AV:N/AC:L/Au:N/C:P/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 iptables Will not fix
Red Hat Enterprise Linux 5 iptables Will not fix

Mitigation

Instead of --syn use --tcp-flags SYN,RST,ACK SYN in your rulesets in case you want to also match packets with both SYN+FIN flags set.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.