tech-security: IMPORTANT: IP Filter 3.4.4 and 3.3.16 (fwd)

Subject: IMPORTANT: IP Filter 3.4.4 and 3.3.16 (fwd)
To: None <tech-security@netbsd.org>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-security
Date: 05/26/2000 12:21:15
  by mail.netbsd.org with SMTP; 26 May 2000 02:21:23 -0000
	by darren2.lnk.telstra.net (8.9.1/8.8.7) id CAA11910
	for <tech-security@netbsd.org>; Fri, 26 May 2000 02:21:19 GMT
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200005260221.MAA25949@avalon.reed.wattle.id.au>
Subject: IMPORTANT: IP Filter 3.4.4 and 3.3.16 (fwd)
To: tech-security@netbsd.org
Date: Fri, 26 May 2000 12:21:15 +1000 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


----- Forwarded message from Darren Reed -----

>From owner-ipfilter@cairo.anu.edu.au Fri May 26 12:05:01 2000
From: Darren Reed <darrenr@reed.wattle.id.au>
Message-Id: <200005260156.LAA25909@avalon.reed.wattle.id.au>
Subject: IMPORTANT: IP Filter 3.4.4 and 3.3.16
To: ipfilter@coombs.anu.edu.au
Date: Fri, 26 May 2000 11:56:47 +1000 (EST)


It has been brought to my attention that people using these two rules in
combination can lead to a security hole being created:

pass out quick proto tcp/udp from any to any keep state
block return-rst in quick proto tcp from any to any

(or the equivalent thereof).  If you are using "flags S keep state" then
you are *NOT* at risk! The problem being that the RST packets so generated
were matching the "pass out" rule.  This problem has been fixed for all of
the BSD platforms (and SunOS4) such that "return-*" rules will generate
packets that do not match any rules (and nor do they get checked against
NAT).  I have so far been unable to do this for Solaris, so in addition to
that change, the "keep state" code will no longer create a state entry if
the TCP packet has the RST flag set.  This security hole only exists when
those two rules are used in combination.  Versions 3.4.4 and 3.3.16 are
patched as described above.  If you are unable to patch your kernel, then
insert the following rule *before* the "keep state" rule:

pass out quick proto tcp from any to any flags R

Each of the following OS branches has been updated an the appropriate fix
to neuter this problem:

FreeBSD-3 (ignore RST patch)
FreeBSD-4 (ignore RST patch)
FreeBSD-current (3.4.4)
NetBSD-1.4 (ignore RST patch)
NetBSD-current (3.4.4)
OpenBSD

For the branches such as FreeBSD-3, NetBSD-1.4, obtain an updated version
of /sys/netinet/ip_state.c and rebuild your kernel with IP Filter compiled
in.  For FreeBSD-current, the delayed checksum patch has been included in
both 3.4.4 and 3.3.16.

ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.4.4.tar.gz
ftp://coombs.anu.edu.au/pub/net/ip-filter/ip_fil3.3.16.tar.gz

Darren

----- End of forwarded message from Darren Reed -----