From owner-freebsd-security Tue Jan 23 18:47:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from security1.noc.flyingcroc.net (security1.noc.flyingcroc.net [207.246.128.54]) by hub.freebsd.org (Postfix) with ESMTP id BFC4B37B698 for ; Tue, 23 Jan 2001 18:47:18 -0800 (PST) Received: from localhost (todd@localhost) by security1.noc.flyingcroc.net (8.9.3/8.9.3) with ESMTP id SAA74117 for ; Tue, 23 Jan 2001 18:47:08 -0800 (PST) (envelope-from todd@flyingcroc.net) X-Authentication-Warning: security1.noc.flyingcroc.net: todd owned process doing -bs Date: Tue, 23 Jan 2001 18:47:08 -0800 (PST) From: Todd Backman X-Sender: todd@security1.noc.flyingcroc.net To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw In-Reply-To: <20010123210823.349E837B402@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone else failing here?: Patching file sys/netinet/ip_fw.c using Plan A... Hunk #1 succeeded at 244. Hunk #2 failed at 1214. Thanks. - Todd On Tue, 23 Jan 2001, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:08 Security Advisory > FreeBSD, Inc. > > Topic: ipfw/ip6fw allows bypassing of 'established' keyword > > Category: core > Module: kernel > Announced: 2001-01-23 > Credits: Aragon Gouveia > Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > FreeBSD 3.5-STABLE and 4.2-STABLE prior to the > correction date. > Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) > 2001-01-12 (FreeBSD 3.5-STABLE) > FreeBSD only: Yes > > I. Background > > ipfw is a system facility which allows IP packet filtering, > redirecting, and traffic accounting. ip6fw is the corresponding > utility for IPv6 networks, included in FreeBSD 4.0 and above. It is > based on an old version of ipfw and does not contain as many features. > > II. Problem Description > > Due to overloading of the TCP reserved flags field, ipfw and ip6fw > incorrectly treat all TCP packets with the ECE flag set as being part > of an established TCP connection, which will therefore match a > corresponding ipfw rule containing the 'established' qualifier, even > if the packet is not part of an established connection. > > The ECE flag is not believed to be in common use on the Internet at > present, but is part of an experimental extension to TCP for > congestion notification. At least one other major operating system > will emit TCP packets with the ECE flag set under certain operating > conditions. > > Only systems which have enabled ipfw or ip6fw and use a ruleset > containing TCP rules which make use of the 'established' qualifier, > such as "allow tcp from any to any established", are vulnerable. The > exact impact of the vulnerability on such systems is undetermined and > depends on the exact ruleset in use. > > All released versions of FreeBSD prior to the correction date > including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was > corrected prior to the (future) release of FreeBSD 4.3. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security-notifications" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message