Date: Tue, 23 Jan 2001 18:47:08 -0800 (PST) From: Todd Backman <todd@flyingcroc.net> To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw Message-ID: <Pine.BSF.4.21.0101231844570.74018-100000@security1.noc.flyingcroc.net> In-Reply-To: <20010123210823.349E837B402@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Anyone else failing here?: Patching file sys/netinet/ip_fw.c using Plan A... Hunk #1 succeeded at 244. Hunk #2 failed at 1214. Thanks. - Todd On Tue, 23 Jan 2001, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:08 Security Advisory > FreeBSD, Inc. > > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > > Category: core > Module: kernel > Announced: 2001-01-23 > Credits: Aragon Gouveia <aragon@phat.za.net> > Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > FreeBSD 3.5-STABLE and 4.2-STABLE prior to the > correction date. > Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) > 2001-01-12 (FreeBSD 3.5-STABLE) > FreeBSD only: Yes > > I. Background > > ipfw is a system facility which allows IP packet filtering, > redirecting, and traffic accounting. ip6fw is the corresponding > utility for IPv6 networks, included in FreeBSD 4.0 and above. It is > based on an old version of ipfw and does not contain as many features. > > II. Problem Description > > Due to overloading of the TCP reserved flags field, ipfw and ip6fw > incorrectly treat all TCP packets with the ECE flag set as being part > of an established TCP connection, which will therefore match a > corresponding ipfw rule containing the 'established' qualifier, even > if the packet is not part of an established connection. > > The ECE flag is not believed to be in common use on the Internet at > present, but is part of an experimental extension to TCP for > congestion notification. At least one other major operating system > will emit TCP packets with the ECE flag set under certain operating > conditions. > > Only systems which have enabled ipfw or ip6fw and use a ruleset > containing TCP rules which make use of the 'established' qualifier, > such as "allow tcp from any to any established", are vulnerable. The > exact impact of the vulnerability on such systems is undetermined and > depends on the exact ruleset in use. > > All released versions of FreeBSD prior to the correction date > including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was > corrected prior to the (future) release of FreeBSD 4.3. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101231844570.74018-100000>