COMMAND
IPFilter
SYSTEMS AFFECTED
Systems using IPFilter (all *BSD for sure)
PROBLEM
Following is based on Obfuscation Research Laboratories Security
Advisory. A weakness exists in the IPFilter firewalling package
in all versions up to and including 3.3.15 and 3.4.3 that allows
an attacker to penetrate the firewall when a common, yet
admittedly flawed, configuration is used.
If IPFilter rulesets are constructed such that "return-rst" and
"keep state" overlap, e.g.:
block return-rst in proto tcp from A to V
pass out proto tcp from V' to A' keep state
where A, A', V and V' are hostmasks that can include "any", and
the attacker matches against A and A' and the victim matches
against V and V', the attacker may exploit a race condition in
the state table generation code that results from fr_addstate()'s
fault of creating a new state entry for the outgoing RST packet
generated by the "return-rst" rule. If a new SYN packet comes in
before the state entry created by the RST expires, the state
entry will allow the SYN packet to pass through the firewall, and
the explicit permissiveness of a "pass out all keep state" or
similar rules then allows the SYN-ACK and all successive ACK's to
create new state entries. The attacker merely needs to ignore
the RST's that are being sent to him and continue to attack the
victim.
SOLUTION
A patch has been made available for all versions of IPFilter that
prevents fr_addstate() from creating a state entry when triggered
by a RST packet. This patch has been incorporated into IPFilter
releases 3.3.16 and 3.4.4.
If you are unable to patch your systems, remove all "return-rst"
keywords or replace the rule which adds state for all outbound TCP
packets:
pass out proto tcp ... keep state # No TCP flags matched upon!
with the following three rules:
pass out quick proto tcp ... flags R/R
pass out proto tcp ... flags AR/A keep state
pass out proto tcp ... flags S keep state
This will support the current behavior of allowing state to be
created by connections which are already open as well as new
connections, so long as at least the ACK bit is set in the TCP
header. The use of the other rule, which matches all TCP packets,
regardless of flag settings, is strongly discouraged.
If you use a single rule such as this:
pass out proto tcp/udp ... keep state
then you must replace it with these four rules:
pass out quick proto tcp ... flags R/R
pass out proto tcp ... flags AR/A keep state
pass out proto tcp ... flags S keep state
pass out proto udp ... keep state
*** ip_state.c.old Fri May 19 11:54:43 2000
--- ip_state.c Sun May 21 15:50:11 2000
***************
*** 558,567 ****
--- 558,569 ----
}
case IPPROTO_TCP :
{
tcp = (tcphdr_t *)fin->fin_dp;
+ if (tcp->th_flags & TH_RST) return NULL;
+
/*
* The endian of the ports doesn't matter, but the ack and
* sequence numbers do as we do mathematics on them later.
*/
is->is_dport = tcp->th_dport;
The latest source releases of IPFilter can be obtained at:
http://coombs.anu.edu.au/~avalon/ip-filter.html
In addition, FreeBSD, NetBSD, and OpenBSD contain IPFilter in
their operating systems, and patches have been applied to the
following:
FreeBSD 3-stable, FreeBSD 4-stable, FreeBSD-current, NetBSD-current
and OpenBSD 2.7-current.
Errata patches are also available for the following:
NetBSD-1.4, OpenBSD 2.6-base, and OpenBSD 2.7-base