The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Shorewall MACLIST Security Vulnerability
------------------------------------------------------------------------
SUMMARY
The <http://shorewall.net/> Shoreline Firewall, "more commonly known as
'Shorewall', is a high-level tool for configuring Netfilter. You describe
your firewall/gateway requirements using entries in a set of configuration
files".
A problem has been reported in the Shorewall Firewall that enables a
Client accepted by MAC-Filter to bypass any other rule.
DETAILS
MACLIST_TTL, the Parameter in Question, was introduced in Shorewall 2.2.0
Describtion of the Issue:
If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is
set to "ACCEPT" in /etc/shorewall/shorewall.conf (Default is MACLIST_TTL=0
and MACLIST_DISPOSITION=REJECT), and a Client is Positivly Authenticated
through his MAC Adress, he bypasses all other Policies/Rules in Place,
thus gaining total access.
Workaround:
Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT in
/etc/shorewall/shorewall.conf, if you don't need it.
Update:
For 2.4.x, the fixed Version is available at:
<http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall> http://slovakia.shorewall.net/pub/shorewall/CURRENT_STABLE_VERSION_IS_2.4/shorewall-2.4.1/errata/firewall
For 2.2.x, the fixed Version is available at:
<http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall> http://www1.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall
This Issue doesn't apply to any Shorewall Version before 2.2.0. Users of
any Version before 2.2.5 are encouraged to updated to a newer version (at
least 2.2.5, better 2.4.1) of Shorewall. Shorewall Version 2.0.x is still
supported, but Users of 2.0.x are encouraged to upgrade to a newer
version.
Shorewall Users of Versions 1.0,1.2 and 1.4 are strongly encouraged to
updated to a version better than 2.2.5, as Shorewall 1.x is not any more
supported and maintained.
ADDITIONAL INFORMATION
The information has been provided by <mailto:blitz_at_post891.org>
Patrick Blitz.
The original article can be found at:
<http://shorewall.net/News.htm#20050717>
http://shorewall.net/News.htm#20050717
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment