what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

shorewallMAC.txt

shorewallMAC.txt
Posted Jul 19, 2005
Site shorewall.net

Shorewall Firewall versions 2.2.x and 2.4.x allow any client to bypass any rule as long as they are accepted by the MAC filter.

tags | advisory
SHA-256 | 9ab844f7c8726b9f879f4a1eb17484f0cb02a3c64487de4af4c997a8514d38d6

shorewallMAC.txt

Change Mirror Download
Shorewall MACLIST Rules-Override Problem
------------------------------------
Release Date: 17.07.05
Severity: High
Affected Version: Shorewall 2.2.x and 2.4.x
------------------------------------
Synopsis:
A Problem has been reported in the Shorewall Firewall
(http://shorewall.net) that enables a Client accepted by MAC-Filter to
bypass any other rule.

-----------------------------------
About Shorewall:

The Shoreline Firewall, more commonly known as "Shorewall", is a
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
files. Shorewall reads those configuration files and with the help of
the iptables utility, Shorewall configures Netfilter to match your
requirements. Shorewall can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux
system.
(Take from http://www.shorewall.net)

MACLIST_TTL, the Parameter in Question, was introduced in Shorewall
2.2.0
------------------------------------

Describtion of the Issue:

If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION
is set to "ACCEPT" in /etc/shorewall/shorewall.conf
(Default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a Client
is Positivly Authenticated through his MAC Adress, he bypasses all other
Policies/Rules in Place, thus gaining total access.

------------------------------------
Fix:

Workaround:
Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT
in /etc/shorewall/shorewall.conf, if you don't need it.
Update:
For 2.4.x, the fixed Version is available at:
http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall

For 2.2.x, the fixed Version is available at:
http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall


This Issue doesn't apply to any Shorewall Version before 2.2.0.
Users of any Version before 2.2.5 are encouraged to updated to a newer
Version (at least 2.2.5, better 2.4.1) of Shorewall.
Shorewall Version 2.0.x is still supported, but Users of 2.0.x are
encouraged to upgrade to a newer version.
Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to
updated to a version better than 2.2.5, as Shorewall 1.x is not any more
supported and maintained.

-----------------------------------
Info:
Timeline:
Report: 17.07.05
Confirmation: 17.07.05
Fix: 17.07.05
Disclosure: 17.07.06

Thanks to Supernaut for Reporting this to us,
and to Tom for fixing it that quick
------------------------------------

The Shorewall Team

--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close