OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: FreeBSD Security Advisories (security-advisoriesFreeBSD.org)
Date: Mon Apr 16 2001 - 14:37:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    =============================================================================
    FreeBSD-SA-01:32 Security Advisory
                                                                    FreeBSD, Inc.

    Topic: IPFilter may incorrectly pass packets

    Category: core
    Module: IPFilter
    Announced: 2001-04-16
    Credits: Thomas Lopatic <thomaslopatic.de>
    Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
                    FreeBSD 3.5-STABLE, and 4.2-STABLE prior to the
                    correction date.
    Corrected: 2001-04-07 (FreeBSD 4.2-STABLE)
    Vendor status: Corrected
    FreeBSD only: NO

    I. Background

    IPFilter is a multi-platform packet filtering package.

    II. Problem Description

    When matching a packet fragment, insufficient checks were performed
    to ensure the fragment is valid. In addition, the fragment cache is
    checked before any rules are checked. Even if all fragments are
    blocked with a rule, fragment cache entries can be created by
    packets that match currently held state information. Because of
    these discrepancies, certain packets may bypass filtering rules.

    All versions of FreeBSD prior to the correction date, including
    FreeBSD 3.5.1 and 4.2, contain this problem. The base system that
    will ship with FreeBSD 4.3 does not contain this problem since it
    was corrected during the beta cycle before the release.

    III. Impact

    Malicious remote users may be able to bypass filtering rules, allowing
    them to potentially circumvent the firewall.

    IPFilter is not enabled by default. If you have not enabled IPFilter,
    your system is not vulnerable to this problem.

    IV. Workaround

    Since fragment cache matching occurs before filtering rules checking,
    it is not possible to work around this problem using IPFilter rules.

    V. Solution

    [FreeBSD 3.x]

    Due to the age of the IPFilter package shipped with FreeBSD 3.x, it
    is recommended that FreeBSD 3.x systems update to IPFilter 3.4.17
    using the package available from the authors website:
    http://coombs.anu.edu.au/~avalon/ip-filter.html

    [FreeBSD 4.x]

    One of the following:

    1) Upgrade to FreeBSD 4.2-STABLE after the correction date.

    2) Download the patch and detached PGP signature from the following
    location:

    The following patch applies to FreeBSD 4.1-RELEASE through 4.2-STABLE.

    # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch
    # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch.asc

    Verify the detached signature using your PGP utility.

    Issue the following commands as root:

    # cd /usr/src
    # patch -p < /path/to/patch

    If the system is using ipfilter as a kernel module, the module may be
    rebuilt and installed and ipfilter rules reloaded with the following
    commands:

    # cd /usr/src/sys/modules/ipfilter
    # make all install
    # kldunload ipl && kldload ipf && ipf -Fa -f /etc/ipf.rules

    Otherwise, if ipfilter is compiled into the kernel, a new kernel will
    need to be compiled and installed and the system will have to be
    rebooted for the changes to take effect.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    iQCVAwUBOttI71UuHi5z0oilAQHKwwP8CfuhsJA8z78zOJCLSGWPAJSgsi9aFvP7
    oVd4eKkVHgHI5hC5QTRgOGg84KncXUu7DJjlOlZ+6nVxcxdp4DED/yRTWjqc14og
    guP3SBAcJwH5y44ZW/VV+LlbNJue77Igkq1u3dran6TPBMdiUeRIRsj0acn6k1nc
    ATwy7N0Ade8=
    =Wujh
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message