[Secure-testing-team] Bug#638449: iptables-persistent: rules aren't loaded at all

Christoph Anton Mitterer calestyo at scientia.net
Wed Aug 17 12:16:16 UTC 2011 

Package: iptables-persistent
Version: 0.5.2
Severity: critical
Tags: security
Justification: root security hole


Hi.

Since the most recent upload, rules aren't loaded any more at all:
Wed Aug 17 13:17:07 2011: Mounting local filesystems...done.
Wed Aug 17 13:17:07 2011: Activating swapfile swap...done.
Wed Aug 17 13:17:07 2011: Cleaning up temporary files....
Wed Aug 17 13:17:07 2011: Loading iptables rules... skipping IPv4 (no module loaded)... skipping IPv6 (no module loaded)...done.
Wed Aug 17 13:17:07 2011: Setting kernel variables ...done.
Wed Aug 17 13:17:07 2011: Cleaning up ifupdown....
Wed Aug 17 13:17:07 2011: Setting up resolvconf...done.
Wed Aug 17 13:17:07 2011: Setting up networking....
Wed Aug 17 13:17:07 2011: Scheme unchanged.
Wed Aug 17 13:17:07 2011: Configuring network interfaces...done.


Not sure why the files you check for are not there at this point.

Marking this as critical, and root sec hole, as it can easily be just this, if
one trusts that certain rules are brought up.


Chris.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iptables-persistent depends on:
ii  debconf [debconf-2.0]         1.5.41     Debian configuration management sy
ii  iptables                      1.4.12-1   administration tools for packet fi
ii  lsb-base                      3.2-27     Linux Standard Base 3.2 init scrip

iptables-persistent recommends no packages.

iptables-persistent suggests no packages.

-- Configuration Files:
/etc/init.d/iptables-persistent changed [not included]
/etc/iptables/rules.v4 changed [not included]
/etc/iptables/rules.v6 changed [not included]

-- debconf information:
* iptables-persistent/autosave_v6: false
* iptables-persistent/autosave_v4: false

More information about the Secure-testing-team mailing list