lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1121642665.2229.50.camel@amon-deb>
Date: Mon Jul 18 00:22:29 2005
From: blitz at post891.org (Patrick Blitz)
Subject: Shorewall MACLIST Problem

Shorewall MACLIST Rules-Override Problem
------------------------------------
Release Date: 17.07.05
Severity: High
Affected Version: Shorewall 2.2.x and 2.4.x 
------------------------------------
Synopsis:
A Problem has been reported in the Shorewall Firewall
(http://shorewall.net) that enables a Client accepted by MAC-Filter to
bypass any other rule.

-----------------------------------
About Shorewall:

The Shoreline Firewall, more commonly known as "Shorewall", is a
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system. 
(Take from http://www.shorewall.net)

MACLIST_TTL, the Parameter in Question, was introduced in Shorewall
2.2.0
------------------------------------

Describtion of the Issue:

If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION
is set to "ACCEPT" in /etc/shorewall/shorewall.conf  
(Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client
is Positivly Authenticated through his MAC Adress, he bypasses all other
Policies/Rules in Place, thus gaining total access.

------------------------------------
Fix:

Workaround: 
Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT
in /etc/shorewall/shorewall.conf, if you don't need it. 
Update:
For 2.4.x, the fixed Version is available at:
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall

For 2.2.x, the fixed Version is available at:
http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall


This Issue doesn't apply to any Shorewall Version before 2.2.0. 
Users of any Version before 2.2.5 are encouraged to updated to a newer
Version (at least 2.2.5, better 2.4.1) of Shorewall. 
Shorewall Version 2.0.x is still supported, but Users of 2.0.x are
encouraged to upgrade to a newer version.
Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to
updated to a version better than 2.2.5, as Shorewall 1.x is not any more
supported and maintained.

-----------------------------------
Info:
Timeline: 
Report: 17.07.05
Confirmation: 17.07.05
Fix: 17.07.05
Disclosure: 17.07.06

Thanks to Supernaut for Reporting this to us, 
and to Tom for fixing it that quick
------------------------------------

The Shorewall Team

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050718/7f676d0d/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ