A security vulnerability has been discovered which affects all supported stable versions of Shorewall. This vulnerability enables a client accepted by MAC address filtering to bypass any other rule. If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT), and a client is positively identified through its MAC address, it bypasses all other policies/rules in place, thus gaining access to all open services on the firewall. Also on FD here: http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0429.html
netmon herd : please bump package with patch (or introduce fixed version)
Arches, pls try to mark 2.4.1 stable (seems like HPPA has to). If you think this jump is too big, try 2.2.5 instead. Thanks!
stable on amd64
2.4.1 sparc stable
2.4.1 and 2.2.5 stable on x86.
Stable on hppa
I think this could be of interest: Workaround: Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf, if you don't need it.
Almost time for GLSA decision. I tend to vote YES.
I vote yes, too, firewall bypass is nasty, even if on specific configurations.
This is CAN-2005-2317
Stable on alpha.
Ready for glsa.
GLSA 200507-20
Are you really sure this 2.4.1 is a fixed version? http://www.shorewall.net/News.htm#20050717 says 2.4.2 is fixed. And the firewall script with fixes for 2.4.x is different than in 2.4.1. I've seen that MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf is set per default in 2.4.1, but in case users keep their configuration files or need to change the setting a fixed script would be better imho. diff -Nur /usr/share/shorewall/firewall /tmp/firewall --- /usr/share/shorewall/firewall 2005-09-10 23:49:37.000000000 +0200 +++ /tmp/firewall 2005-09-13 08:45:22.000000000 +0200 @@ -477,11 +477,6 @@ echo $(chain_base $1)_mac } -macrecent_target() # $1 - interface -{ - [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN -} - # # Functions for creating dynamic zone rules # @@ -507,6 +502,11 @@ echo ${c}_dyni ${c}_dynf ${c}_dyno } +macrecent_target() # $1 - interface +{ + [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN +} + # # DNAT Chain from a zone # @@ -2327,13 +2327,14 @@ for interface in $maclist_interfaces; do chain=$(mac_chain $interface) createchain $chain no - + if [ -n "$MACLIST_TTL" ]; then chain1=$(macrecent_target $interface) createchain $chain1 no - run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j $chain1 - run_iptables -A $chain1 -m recent --update --name $chain -j ACCEPT - run_iptables -A $chain1 -m recent --set --name $chain -j ACCEPT + run_iptables -A $chain -m recent --rcheck --seconds $MACLIST_TTL --name $chain -j RETURN + run_iptables -A $chain -j $chain1 + run_iptables -A $chain -m recent --update --name $chain -j RETURN + run_iptables -A $chain -m recent --set --name $chain fi done # @@ -2353,8 +2354,7 @@ esac fi - chain=$(mac_chain $interface) - chain1=$(macrecent_target $interface) + [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) if ! havechain $chain ; then fatal_error "No hosts on $interface have the maclist option specified" @@ -2363,10 +2363,10 @@ macpart=$(mac_match $mac) if [ -z "$addresses" ]; then - run_iptables -A $chain $macpart $physdev_part -j $chain1 + run_iptables -A $chain $macpart $physdev_part -j RETURN else for address in $(separate_list $addresses) ; do - run_iptables2 -A $chain $macpart -s $address $physdev_part -j $chain1 + run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN done fi done < $TMP_DIR/maclist @@ -2375,8 +2375,7 @@ # chains # for interface in $maclist_interfaces; do - chain=$(mac_chain $interface) - chain1=$(macrecent_target $interface) + [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface) blob=$(ip link show $interface 2> /dev/null) @@ -2384,16 +2383,17 @@ fatal_error "Interface $interface must be up before Shorewall can start" ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do + address=${address%/*} if [ -n "$broadcast" ]; then - run_iptables -A $chain -s ${address%/*} -d $broadcast -j $chain1+ run_iptables -A $chain -s $address -d $broadcast -j RETURN fi - run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1 - run_iptables -A $chain -s $address -d 224.0.0.0/4 -j $chain1 + run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN + run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN done if [ -n "$MACLIST_LOG_LEVEL" ]; then - log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION + log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface) $MACLIST_DISPOSITION "$LOGLIMIT" "" -A fi run_iptables -A $chain -j $maclist_target @@ -3193,7 +3193,7 @@ [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" fi echo "Determining Zones..." @@ -6402,7 +6402,7 @@ [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL= if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then - startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" + startup_error "MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables" fi [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \ @@ -8190,8 +8190,11 @@ case $MACLIST_DISPOSITION in REJECT) ;; - ACCEPT|DROP) - maclist_target=$MACLIST_DISPOSITION + DROP) + maclist_target=DROP + ;; + ACCEPT) + maclist_target=RETURN ;; *) startup_error "Invalid value ($MACLIST_DISPOSITION) for MACLIST_DISPOSITION"
Reopening. Netmon please advise.
Thanks Sebastian you're right. 2.4.1 isn't corrected. 2.0.17, 2.2.6 and 2.4.2 added that correct the vulnerability. My sincere appoligies for stuffing this one up and not reading it right. Arch Testers please mark the following stable: 2.0.17, 2.2.6 and 2.4.2 FYI 2.4.4 is only a version bump and does not require any attention. the only difference between the now stable 2.4.2 and 2.4.1 is the patch in comment #14 and a few other comments in configuration files.
Note 2.0.17 2.2.6 are provided for backwards compatibility. Arch testers please remove 2.4.1 when finished. glsa notes going of last glsa: vulnerable versions: <2.0.17 >=2.2.0- <=2.2.5 >=2.4.0 - <=2.4.1 unaffected: 2.0.17 2.2.6 >=2.4.2 (note I'm not sure what the current glsa specifications for good/bad versions are so this is fyi) Description: The default installation has MACLIST_DISPOSITION=REJECT and MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the settings in /etc/shorewall/shorewall.conf Impact: applies to female users too. previous GLSA workaround still valid. alternate workaround: download the the firewall script corresponding to your version http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall and copy to /usr/share/shorewall/firewall resolution: same
2.4.2 sparc stable. Is there really a need to stable the old ones? Since they've been gone for some time what b0rkage are we trying to avoid that's not already been done?
Good point. removed 2.0.17 and 2.2.6. I did see any upgrade guide in the documention that would make this too hard for users. Thanks Gustavo
2.4.2 stable on amd64
hppa stable
sparc happy - alpha to go.
alphalized Cheers, Ferdy
Ready for GLSA ERRATA. Security please review updated draft.
Draft looks OK.
GLSA 200507-20 errata sent
