CVE-2025-68206
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_ct: add seqadj extension for natted connections
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes. due to need to re-write packet payload (IP, port) on the ftp control connection. This can require changes to the TCP length and expected seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode. Example ruleset: table inet ftp_nat { ct helper ftp_helper { type "ftp" protocol tcp l3proto inet }
chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
} table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; tcp dport 21 dnat ip prefix to ip daddr map { 192.168.100.1 : 192.168.13.2/32 } }
chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}
Note that the ftp helper gets assigned after the dnat setup.
The inverse (nat after helper assign) is handled by an existing check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+——————-+ +———————————-+ | FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 | +——————-+ +———————————-+ | +———————–+ | Client: 192.168.100.2 | +———————–+
ftp nat changes do not work as expected in this case: Connected to 192.168.100.1. [..] ftp> epsv EPSV/EPRT on IPv4 off. ftp> ls 227 Entering passive mode (192,168,100,1,209,129). 421 Service not available, remote server has closed connection.
Kernel logs: Missing nfct_seqadj_ext_add() setup call WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41 [..] __nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat] nf_nat_ftp+0x142/0x280 [nf_nat_ftp] help+0x4d1/0x880 [nf_conntrack_ftp] nf_confirm+0x122/0x2e0 [nf_conntrack] nf_hook_slow+0x3c/0xb0 ..
Fix this by adding the required extension when a conntrack helper is assigned to a connection that has a nat binding.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < 83273af0b60c093ba0085c205864d8542e1b1653 | affected |
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < b19492c25eff04852e0cb58f9bb8238b6695ed2d | affected |
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < 4de80f0dc3868408dd7fe9817e507123c9dd8bb0 | affected |
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < b477ef7fa612fa45b6b3134d90d1eeb09396500a | affected |
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < 4ab2cd906e4e1a19ddbda6eb532851b0e9cda110 | affected |
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < 2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6 | affected |
| Linux | Linux | 1a64edf54f55d7956cf5a0d95898bc1f84f9b818 < 90918e3b6404c2a37837b8f11692471b4c512de2 | affected |
| Linux | Linux | 4.12 | affected |
| Linux | Linux | 0 < 4.12 | unaffected |
| Linux | Linux | 5.10.253 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.203 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.167 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.130 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.64 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.9 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/83273af0b60c093ba0085c205864d8542e1b1653
- https://git.kernel.org/stable/c/b19492c25eff04852e0cb58f9bb8238b6695ed2d
- https://git.kernel.org/stable/c/4de80f0dc3868408dd7fe9817e507123c9dd8bb0
- https://git.kernel.org/stable/c/b477ef7fa612fa45b6b3134d90d1eeb09396500a
- https://git.kernel.org/stable/c/4ab2cd906e4e1a19ddbda6eb532851b0e9cda110
- https://git.kernel.org/stable/c/2b52d89cbbb0dbe3e948d8d9a91e704316dccfe6
- https://git.kernel.org/stable/c/90918e3b6404c2a37837b8f11692471b4c512de2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.