{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-03-30T00:00:00", "descriptions": [{"lang": "en", "value": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-02-15T06:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[netfilter-devel] 20120330 Re: `iptables -m tcp --syn` doesn't do what the man says", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.spinics.net/lists/netfilter-devel/msg21248.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826702"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:42:31.646Z"}, "title": "CVE Program Container", "references": [{"name": "[netfilter-devel] 20120330 Re: `iptables -m tcp --syn` doesn't do what the man says", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.spinics.net/lists/netfilter-devel/msg21248.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826702"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2663", "datePublished": "2014-02-15T11:00:00", "dateReserved": "2012-05-14T00:00:00", "dateUpdated": "2024-08-06T19:42:31.646Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netfilter:iptables:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9907795-8B61-4CFF-A547-90F9C958A178", "versionEndIncluding": "1.4.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant."}, {"lang": "es", "value": "extensions/libxt_tcp.c en iptables hasta 1.4.21 no hace conincidir paquetes TCP SYN+FIN en reglas --syn, lo que podr\u00eda permitir a atacantes remotos evadir las restricciones de firewall a trav\u00e9s de paquetes manipulados. NOTA: la soluci\u00f3n de CVE-2012-6638 hace que este problema sea menos relevante."}], "id": "CVE-2012-2663", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-02-15T14:57:07.423", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.spinics.net/lists/netfilter-devel/msg21248.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826702"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "http://www.spinics.net/lists/netfilter-devel/msg21248.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826702"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "iptables: --syn flag bypass", "id": "826702", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=826702"}, "csaw": false, "cvss": {"cvss_base_score": "6.4", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "draft"}, "details": ["extensions/libxt_tcp.c in iptables through 1.4.21 does not match TCP SYN+FIN packets in --syn rules, which might allow remote attackers to bypass intended firewall restrictions via crafted packets. NOTE: the CVE-2012-6638 fix makes this issue less relevant."], "mitigation": {"lang": "en:us", "value": "Instead of --syn use --tcp-flags SYN,RST,ACK SYN in your rulesets in case you want to also match packets with both SYN+FIN flags set."}, "name": "CVE-2012-2663", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Affected", "package_name": "iptables", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "iptables", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2011-12-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2012-2663\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-2663"], "statement": "This issue does affect Red Hat Enterprise Linux 5 and 6.\nThe risks in breaking compatability associated with fixing this flaw outweigh the benefits of the fix, therefore Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux 5 and 6.\nPlease note that the remote DoS issue in the way how Linux kernel treats SYN+FIN flags set is being handled under different CVE, CVE-2012-6638, and is planned to be fixed in all affected Red Hat Enterprise Linux releases.", "threat_severity": "Moderate"}