ISS X-Force Database: ipfw-bypass-firewall(5998): ipfw/ip6fw allows remote attacker to bypass firewall

ipfw/ip6fw allows remote attacker to bypass firewall

ipfw-bypass-firewall (5998)

High Risk

Description:

The ipfw/ip6fw utility in FreeBSD could allow a remote attacker to bypass the firewall. Overloading in the TCP reserved flags field causes ipfw/ip6fw to treat all TCP packets with the ECE flag set as being part of an established connection. A remote attacker can create a TCP packet with the ECE flag set to bypass security restrictions in the firewall.

Platforms Affected:

FreeBSD, FreeBSD 3.5
FreeBSD, FreeBSD 4.2

Remedy:

For FreeBSD 3.x:
Upgrade to the latest version of FreeBSD (3.5-STABLE dated 1/12/2001 or later), as listed in FreeBSD Security Advisory FreeBSD-SA-01:08. See References.

For FreeBSD 4.x:
Upgrade to the latest version of FreeBSD (4.2-STABLE dated 1/09/2001 or later), as listed in FreeBSD Security Advisory FreeBSD-SA-01:08. See References.

Consequences:

Gain Access

References:

BugTraq Mailing List, Thu Jan 25 2001 - 07:04:30 CST, ecepass - proof of concept code for FreeBSD ipfw bypass at http://archives.neohapsis.com/archives/bugtraq/2001-01/0424.html.
CIAC Information Bulletin L-029, FreeBSD "ipfw/ip6fw" Vulnerability at http://www.ciac.org/ciac/bulletins/l-029.shtml.
FreeBSD Security Advisory FreeBSD-SA-01:08, ipfw/ip6fw allows bypassing of 'established' keyword at http://archives.neohapsis.com/archives/freebsd/2001-01/0341.html.
BID-2293: FreeBSD ipfw Filtering Evasion Vulnerability
CVE-2001-0183: ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection.
OSVDB ID: 1743: Multiple BSD ipfw Filtering Evasion

Reported:

Jan 23, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page