[Please upgrade Shorewall 2.2.0 onwards on all distributions. Vendor packages should be available soon; in the meantime directions for mitigating the vulnerability are given in the mail -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-FYJLcprwuuOcCmDQ9T7H" Message-Id: <[EMAIL PROTECTED]> From: Patrick Blitz <[EMAIL PROTECTED]> To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk Subject: Shorewall MACLIST Problem Date: Mon, 18 Jul 2005 01:24:25 +0200 --=-FYJLcprwuuOcCmDQ9T7H Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Shorewall MACLIST Rules-Override Problem ------------------------------------ Release Date: 17.07.05 Severity: High Affected Version: Shorewall 2.2.x and 2.4.x=20 ------------------------------------ Synopsis: A Problem has been reported in the Shorewall Firewall (http://shorewall.net) that enables a Client accepted by MAC-Filter to bypass any other rule. ----------------------------------- About Shorewall: The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.=20 (Take from http://www.shorewall.net) MACLIST_TTL, the Parameter in Question, was introduced in Shorewall 2.2.0 ------------------------------------ Describtion of the Issue: If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf =20 (Default is MACLIST_TTL=3D0 and MACLIST_DISPOSITION=3DREJECT), and a Client is Positivly Authenticated through his MAC Adress, he bypasses all other Policies/Rules in Place, thus gaining total access. ------------------------------------ Fix: Workaround:=20 Set MACLIST_TTL=3D0 and MACLIST_DISPOSITION=3DREJECT in /etc/shorewall/shorewall.conf, if you don't need it.=20 Update: For 2.4.x, the fixed Version is available at: http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/s= horewall-2.4.1/errata/firewall For 2.2.x, the fixed Version is available at: http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall This Issue doesn't apply to any Shorewall Version before 2.2.0.=20 Users of any Version before 2.2.5 are encouraged to updated to a newer Version (at least 2.2.5, better 2.4.1) of Shorewall.=20 Shorewall Version 2.0.x is still supported, but Users of 2.0.x are encouraged to upgrade to a newer version. Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to updated to a version better than 2.2.5, as Shorewall 1.x is not any more supported and maintained. ----------------------------------- Info: Timeline:=20 Report: 17.07.05 Confirmation: 17.07.05 Fix: 17.07.05 Disclosure: 17.07.06 Thanks to Supernaut for Reporting this to us,=20 and to Tom for fixing it that quick ------------------------------------ The Shorewall Team --=20 --=-FYJLcprwuuOcCmDQ9T7H Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQBC2uioa2l2cyeuKggRAvXQAJ0ccsLzJXDWmc4t+JBg5VfW8hBXVgCfV0tz 5qU2PppkcCQlmuY20KcOC1I= =vR3l -----END PGP SIGNATURE----- --=-FYJLcprwuuOcCmDQ9T7H-- ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
