Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: FreeBSD Security Advisories (security-advisoriesFreeBSD.org)
Date: Mon Apr 16 2001 - 14:37:22 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    FreeBSD-SA-01:32 Security Advisory
                                                                    FreeBSD, Inc.

    Topic: IPFilter may incorrectly pass packets

    Category: core
    Module: IPFilter
    Announced: 2001-04-16
    Credits: Thomas Lopatic <thomaslopatic.de>
    Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases),
                    FreeBSD 3.5-STABLE, and 4.2-STABLE prior to the
                    correction date.
    Corrected: 2001-04-07 (FreeBSD 4.2-STABLE)
    Vendor status: Corrected
    FreeBSD only: NO

    I. Background

    IPFilter is a multi-platform packet filtering package.

    II. Problem Description

    When matching a packet fragment, insufficient checks were performed
    to ensure the fragment is valid. In addition, the fragment cache is
    checked before any rules are checked. Even if all fragments are
    blocked with a rule, fragment cache entries can be created by
    packets that match currently held state information. Because of
    these discrepancies, certain packets may bypass filtering rules.

    All versions of FreeBSD prior to the correction date, including
    FreeBSD 3.5.1 and 4.2, contain this problem. The base system that
    will ship with FreeBSD 4.3 does not contain this problem since it
    was corrected during the beta cycle before the release.

    III. Impact

    Malicious remote users may be able to bypass filtering rules, allowing
    them to potentially circumvent the firewall.

    IPFilter is not enabled by default. If you have not enabled IPFilter,
    your system is not vulnerable to this problem.

    IV. Workaround

    Since fragment cache matching occurs before filtering rules checking,
    it is not possible to work around this problem using IPFilter rules.

    V. Solution

    [FreeBSD 3.x]

    Due to the age of the IPFilter package shipped with FreeBSD 3.x, it
    is recommended that FreeBSD 3.x systems update to IPFilter 3.4.17
    using the package available from the authors website:

    [FreeBSD 4.x]

    One of the following:

    1) Upgrade to FreeBSD 4.2-STABLE after the correction date.

    2) Download the patch and detached PGP signature from the following

    The following patch applies to FreeBSD 4.1-RELEASE through 4.2-STABLE.

    # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch
    # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch.asc

    Verify the detached signature using your PGP utility.

    Issue the following commands as root:

    # cd /usr/src
    # patch -p < /path/to/patch

    If the system is using ipfilter as a kernel module, the module may be
    rebuilt and installed and ipfilter rules reloaded with the following

    # cd /usr/src/sys/modules/ipfilter
    # make all install
    # kldunload ipl && kldload ipf && ipf -Fa -f /etc/ipf.rules

    Otherwise, if ipfilter is compiled into the kernel, a new kernel will
    need to be compiled and installed and the system will have to be
    rebooted for the changes to take effect.

    Version: GnuPG v1.0.4 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message