| 2022-08-09 06:38:39 |
g1pi |
bug |
|
|
added bug |
| 2022-08-09 06:56:24 |
g1pi |
description |
Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables), which won't be restored until the next reboot.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1
Best regards
g.b. |
Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables), which won't be restored until the next reboot, unless the sysadmin performs a systemctl reload/restart.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1
Best regards
g.b. |
|
| 2022-08-10 06:07:06 |
g1pi |
information type |
Private Security |
Public Security |
|
| 2022-08-10 06:08:47 |
g1pi |
description |
Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables), which won't be restored until the next reboot, unless the sysadmin performs a systemctl reload/restart.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1
Best regards
g.b. |
Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables.service), which won't be restored until the next reboot, unless the sysadmin performs a systemctl reload/restart.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1
Best regards
g.b. |
|
| 2022-08-10 06:22:24 |
Alex Murray |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012613 |
|
| 2022-08-10 06:28:47 |
Alex Murray |
attachment added |
|
nftables_1.0.2-1ubuntu3.debdiff https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1984043/+attachment/5607600/+files/nftables_1.0.2-1ubuntu3.debdiff |
|
| 2022-08-10 08:26:52 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2022-08-11 03:27:59 |
Alex Murray |
description |
Given the text of the preinstall script in the ubuntu version of nftables (not in the debian version),
# cat /var/lib/dpkg/info/nftables.preinst
#!/bin/sh
set -e
# Automatically added by dh_installsystemd/13.6ubuntu1
if [ -z "${DPKG_ROOT:-}" ] && [ "$1" = upgrade ] && [ -d /run/systemd/system ] ; then
deb-systemd-invoke stop 'nftables.service' >/dev/null || true
fi
# End automatically added section
and the fact that there's no start or reload in the postinst script, upgrading or reinstalling the nftables package results in flushing the ruleset (as per the ExecStop variable in /lib/systemd/system/nftables.service), which won't be restored until the next reboot, unless the sysadmin performs a systemctl reload/restart.
As a consequence, machines can be left exposed to attacks after an upgrade, or become unreachable if e.g. the ruleset contains a rule that NATs an unusual port to the ssh port (blocked by an external fw).
nftables version: 1.0.2-1ubuntu2
ubuntu version: 22.04.1
Best regards
g.b. |
[Impact]
* When upgrading nftables, the nftables.service is stopped and not
restarted. As a result any rules which were configured previously
get cleared.
* Depending on what rules have been configured this could have a
variety of impacts from locking out SSH users to allowing unauthorized
access to various services or causing a denial of service against
various applications / services as well.
* This upload fixes the issue by ensuring the nftables.service is
restarted after being upgraded.
[Test Plan]
* Enable nftables.service in a bionic container / VM and configure a
simple rule:
apt install nftables
# edit /etc/nftables.conf to add the following under the output chain
# ip daddr 9.9.9.9 counter
systemctl enable nftables
systemctl start nftables
# check the custom output counter rule is present
nft list ruleset -s
* Upgrade the container / VM:
do-release-update
* Check the nftables service is still enabled and the custom rule
systemctl status nftables
nft list ruleset -s
[Where problems could occur]
* Since the service is already not restarted it is unlikely this will have any negative effect other than still not restarting the service if something goes wrong.
[Other Info]
* None |
|
| 2022-08-17 02:38:50 |
Chris Halse Rogers |
nftables (Ubuntu Jammy): status |
New |
Fix Committed |
|
| 2022-08-17 02:38:52 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-08-17 02:38:54 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
| 2022-08-17 02:38:58 |
Chris Halse Rogers |
tags |
patch |
patch verification-needed verification-needed-jammy |
|
| 2022-08-18 04:51:48 |
Alex Murray |
tags |
patch verification-needed verification-needed-jammy |
patch verification-done verification-done-jammy |
|
| 2022-08-25 04:39:25 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-08-25 04:40:23 |
Launchpad Janitor |
nftables (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
