Linux Kernel Netfilter Connection Tracking Sequence Adjustment Vulnerability for NAT FTP Traffic

A vulnerability in the Linux kernel's netfilter connection tracking can disrupt FTP traffic using PASV or EPSV modes. This issue arises because the NAT (Network Address Translation) process needs to modify the packet payload, including IP and port information, on the FTP control connection. Such modifications can lead to incorrect TCP segment lengths and sequence/acknowledgment numbers. The vulnerability is most easily reproduced with an FTP connection in PASV mode, using a specific netfilter ruleset that manages FTP NAT handling. When the NAT adjustments are applied, the FTP connection fails, and the kernel logs indicate a missing sequence adjustment extension, highlighting the problem with the current NAT handling for FTP connections.

Impact

The vulnerability causes FTP NAT operations to malfunction, leading to disrupted file transfer sessions. When a client attempts to use PASV mode, the server closes the connection, citing unavailability of the service, which interrupts the expected file transfer process.

Reproduction

To reproduce this vulnerability, set up a Linux system with the affected kernel version and configure a netfilter ruleset that directs FTP traffic through NAT. Assign the FTP conntrack helper after setting up the NAT rules to ensure the sequence adjustment extension is not applied. Then, initiate an FTP connection in PASV mode. The connection will fail, and the kernel logs will show a warning about the missing sequence adjustment, confirming the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official Linux documentation or through the package management system of the Linux distribution in use.