[libvirt] [PATCH] CVE-2010-2242 Apply a source port mapping to virtual network masquerading
Daniel Veillard
veillard at redhat.com
Thu Jul 15 15:45:53 UTC 2010
On Mon, Jul 12, 2010 at 09:19:33AM -0400, Daniel P. Berrange wrote:
> For
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2242
>
> IPtables will seek to preserve the source port unchanged when
> doing masquerading, if possible. NFS has a pseudo-security
> option where it checks for the source port <= 1023 before
> allowing a mount request. If an admin has used this to make the
> host OS trusted for mounts, the default iptables behaviour will
> potentially allow NAT'd guests access too. This needs to be
> stopped.
>
> With this change, the iptables -t nat -L -n -v rules for the
> default network will be
>
> Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes)
> pkts bytes target prot opt in out source destination
> 14 840 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
> 75 5752 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
> 0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
>
> * src/network/bridge_driver.c: Add masquerade rules for TCP
> and UDP protocols
> * src/util/iptables.c, src/util/iptables.c: Add source port
> mappings for TCP & UDP protocols when masquerading.
Looks fine, ACK,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list