Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.354 -- FreeBSD-SA-01:53.ipfw ipfw `me' on P2P interfaces matches remote address 20 August 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ipfw Vendor: FreeBSD Operating System: FreeBSD 4-STABLE after February 20, 2001 and prior to the correction date FreeBSD 4.3-RELEASE Impact: Reduced Security Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:53 Security Advisory FreeBSD, Inc. Topic: ipfw `me' on P2P interfaces matches remote address Category: core Module: ipfw Announced: 2001-08-17 Credits: Igor M Podlesny <poige@morning.ru> Affects: FreeBSD 4-STABLE after February 20, 2001 and prior to the correction date FreeBSD 4.3-RELEASE Corrected: 2001-07-17 10:50:01 UTC (FreeBSD 4.3-STABLE) 2001-07-18 06:56:23 UTC (RELENG_4_3) FreeBSD only: YES I. Background ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ipfw `me' rules are filter rules that specify a source or destination address of `me', intended to match any IP address configured on a local interface. II. Problem Description A flaw in the implementation of the ipfw `me' rules when used in conjunction with point-to-point interfaces results in filter rules which match the remote IP address of the point-to-point interface in addition to the intended local IP address. III. Impact IP datagrams with a source or destination IP address of a remote point-to-point link may be handled in a way unintended by the system administrator. For example, given an interface such as tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 1.1.1.1 --> 2.2.2.2 netmask 0xff000000 and this ipfw rule: 00010 allow ip from me to any packets with a source address of 2.2.2.2 would be allowed to pass when the administrator may have reasonably expected it not to match this rule. IV. Workaround Do not use ipfw `me' rules. Rewrite any existing `me' rules to use explicit IP addresses. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:53/ipfw.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:53/ipfw.patch.asc # cd /usr/src # patch -p < /path/to/patch # install -c -m 0444 -o root -g wheel /usr/src/sys/netinet/in_var.h /usr/include/netinet/ # cd /usr/src/sbin/ipfw # make depend && make all install The following steps will be different depending upon whether your system has ipfw compiled into the kernel or is using the ipfw KLD. If the output of `kldstat' includes `ipfw.ko', then you are using the KLD and should follow the directions listed in (2a) below. Otherwise, if your kernel configuration file contains the line `options IPFIREWALL', you should follow the directions listed in (2b) below. 2a) Execute the following commands as root: # cd /usr/src/sys/modules/ipfw # make depend && make all install 2b) Rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html In either case 2a) or 2b), you must reboot your system to load the new module or kernel. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:53/security-patch-ipfw-01.53.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:53/security-patch-ipfw-01.53.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-ipfw-01:53.tgz Restart your system after applying the patch. VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected, for the supported branches of FreeBSD. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. [FreeBSD 4.3-STABLE] Revision Path 1.33.4.1 src/sys/netinet/in_var.h [RELENG_4_3] Revision Path 1.33.2.2 src/sys/netinet/in_var.h VII. References <URL:http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/in_var.h#rev1.39> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO32OK1UuHi5z0oilAQGFaAQAoeOYBYHehpMs28K1K4BKneLF4/KBfel/ NGmGslQVe4DHxiIfV2WWyQw1KjH/N8NSOiBsri8+pMZkFaOyBw1Q41vUCd+2pZW1 97qYWj6aWjIlpNm9/zOPnWN6smge4OZ7UCqX1+VsP6nf8VBrEfOYl44hl82oCMk9 S9NvqSOqDsI= =HqMM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO4DqIyh9+71yA2DNAQGrmwP/UMcAGaWxdgEUxvePeU7yiw2Y4jDsha+/ UCTq4QJlNEQNTDSlY0erXy2GErns/1vZzxfM+tNJH6F+E7fUxxqgPu1K2zEkTnrN MxeGQelaBZ6yYCT7cJMnsHprWZvf492psJ+UK8j970Jpu4/NQs7Qk40AAbTPtK7H fuzW0ff0LaQ= =ncZL -----END PGP SIGNATURE-----