lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <1121642665.2229.50.camel@amon-deb> Date: Mon Jul 18 00:22:29 2005 From: blitz at post891.org (Patrick Blitz) Subject: Shorewall MACLIST Problem Shorewall MACLIST Rules-Override Problem ------------------------------------ Release Date: 17.07.05 Severity: High Affected Version: Shorewall 2.2.x and 2.4.x ------------------------------------ Synopsis: A Problem has been reported in the Shorewall Firewall (http://shorewall.net) that enables a Client accepted by MAC-Filter to bypass any other rule. ----------------------------------- About Shorewall: The Shoreline Firewall, more commonly known as "Shorewall", is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. (Take from http://www.shorewall.net) MACLIST_TTL, the Parameter in Question, was introduced in Shorewall 2.2.0 ------------------------------------ Describtion of the Issue: If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf (Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client is Positivly Authenticated through his MAC Adress, he bypasses all other Policies/Rules in Place, thus gaining total access. ------------------------------------ Fix: Workaround: Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf, if you don't need it. Update: For 2.4.x, the fixed Version is available at: http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall For 2.2.x, the fixed Version is available at: http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall This Issue doesn't apply to any Shorewall Version before 2.2.0. Users of any Version before 2.2.5 are encouraged to updated to a newer Version (at least 2.2.5, better 2.4.1) of Shorewall. Shorewall Version 2.0.x is still supported, but Users of 2.0.x are encouraged to upgrade to a newer version. Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to updated to a version better than 2.2.5, as Shorewall 1.x is not any more supported and maintained. ----------------------------------- Info: Timeline: Report: 17.07.05 Confirmation: 17.07.05 Fix: 17.07.05 Disclosure: 17.07.06 Thanks to Supernaut for Reporting this to us, and to Tom for fixing it that quick ------------------------------------ The Shorewall Team -- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050718/7f676d0d/attachment.bin
Powered by blists - more mailing lists