From 09aafa75750d2a8534ee0b1e35391a2e7ac91e50 Mon Sep 17 00:00:00 2001 From: paulgear Date: Mon, 18 Jul 2005 03:14:27 +0000 Subject: [PATCH] Announcement about MACLIST security vulnerability git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2363 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-Website/News.htm | 77 ++++++++++++++++++++++++++- Shorewall-Website/shorewall_index.htm | 1 + 2 files changed, 77 insertions(+), 1 deletion(-) diff --git a/Shorewall-Website/News.htm b/Shorewall-Website/News.htm index 283b2b514..0b7d30772 100644 --- a/Shorewall-Website/News.htm +++ b/Shorewall-Website/News.htm @@ -19,8 +19,82 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2005-07-14
+

2005-07-17

+ +
+ +

07/17/2005 Security vulnerability in MACLIST processing

+ +

Description

+ +

+A security vulnerability has been discovered which affects all supported +stable versions of Shorewall.  This vulnerability enables a client +accepted by MAC address filtering to bypass any other rule.  If +MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set +to "ACCEPT" in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and +MACLIST_DISPOSITION=REJECT), and a client is positively identified through +its MAC address, it bypasses all other policies/rules in place, thus +gaining access to all open services on the firewall. +

+ +

Fix

+ +

Workaround

+ +

+For Shorewall 2.2.x or 2.4.x, set MACLIST_TTL=0 or MACLIST_DISPOSITION=REJECT +in /etc/shorewall/shorewall.conf.  For Shorewall 2.0.x, set +MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf.  MACLIST +filtering is of limited on Internet-connected hosts, and the Shorewall team +recommends this approach to be used if possible. +

+ +

Upgrade

+ +

+For Shorewall 2.4.x, a fixed version of the 'firewall' script is available at: +http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall. +

+ +

+For Shorewall 2.2.x, a fixed version of the 'firewall' script is available at: +http://shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall +and +http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall. +

+ +

+For Shorewall 2.0.x, a fixed version of the 'firewall' script is available at: +http://shorewall.net/pub/shorewall/errata/2.0.17/firewall +and its mirrors, +http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall +and +http://slovakia.shorewall.net/pub/shorewall/errata/2.0.17/firewall. +

+ +

+Users of any version before 2.0.17 are urged to upgrade to a supported +version of Shorewall (preferably 2.4.1) before using the fixed +files.  Only the most recent version of the 2.0.x and 2.2.x +streams will be supported by the development team, and the 1.x branches +are no longer maintained at all.  Future releases of Shorewall will +include this fix. +

+ +

This information was based on +Patrick +Blitz's post to the Full Disclosure mailing list.  Thanks to +Supernaut (supernaut at ns dot sympatico dot ca) for reporting this bug. +

+
07/13/2005 Shorewall 2.4.1

@@ -50,6 +124,7 @@ configurations, be filtered by the 'maclist' option even though the 'dhcp' option was specified. This has been corrected.
+ 06/05/2005 Shorewall 2.4.0

diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index a023b5760..f6b8617b7 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -10,6 +10,7 @@

Shorewall 2.x

+

Security vulnerability in Shorewall 2.x

Tom's Involvement in Shorewall