Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 99398 - net-firewall/shorewall MACLIST Rules-Override Problem (CAN-2005-2317)
Summary: net-firewall/shorewall MACLIST Rules-Override Problem (CAN-2005-2317)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.shorewall.net/News.htm#200...
Whiteboard: B4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-17 22:24 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-09-17 05:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-07-17 22:24:56 UTC
A security vulnerability has been discovered which affects all supported 
stable versions of Shorewall.  This vulnerability enables a client accepted by 
MAC address filtering to bypass any other rule.  If MACLIST_TTL is set to a 
value greater than 0 or MACLIST_DISPOSITION is set to "ACCEPT" 
in /etc/shorewall/shorewall.conf (default is MACLIST_TTL=0 and 
MACLIST_DISPOSITION=REJECT), and a client is positively identified through its 
MAC address, it bypasses all other policies/rules in place, thus gaining 
access to all open services on the firewall. 
 
Also on FD here: 
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0429.html
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-07-18 04:40:47 UTC
netmon herd : please bump package with patch (or introduce fixed version)
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-18 06:48:12 UTC
Arches, pls try to mark 2.4.1 stable (seems like HPPA has to). If you think this
jump is too big, try 2.2.5 instead. Thanks! 
Comment 3 Danny van Dyk (RETIRED) gentoo-dev 2005-07-18 08:06:30 UTC
stable on amd64
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-18 08:44:46 UTC
2.4.1 sparc stable
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-18 21:48:35 UTC
2.4.1 and 2.2.5 stable on x86.
Comment 6 René Nussbaumer (RETIRED) gentoo-dev 2005-07-19 11:17:31 UTC
Stable on hppa
Comment 7 Robert Muchacki (RETIRED) gentoo-dev 2005-07-19 16:05:30 UTC
I think this could be of interest:

Workaround: 
Set MACLIST_TTL=0 and MACLIST_DISPOSITION=REJECT
in /etc/shorewall/shorewall.conf, if you don't need it. 
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-19 22:03:34 UTC
Almost time for GLSA decision. I tend to vote YES. 
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-07-20 01:31:55 UTC
I vote yes, too, firewall bypass is nasty, even if on specific configurations.
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-20 14:04:48 UTC
This is CAN-2005-2317
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2005-07-21 14:05:03 UTC
Stable on alpha.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-21 14:06:40 UTC
Ready for glsa.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-21 22:48:31 UTC
GLSA 200507-20 
Comment 14 Sebastian 2005-09-12 23:58:35 UTC
Are you really sure this 2.4.1 is a fixed version?
http://www.shorewall.net/News.htm#20050717 says 2.4.2 is fixed. And the firewall
script with fixes for 2.4.x is different than in 2.4.1. I've seen that
MACLIST_DISPOSITION=REJECT in /etc/shorewall/shorewall.conf is set per default
in 2.4.1, but in case users keep their configuration files or need to change the
setting a fixed script would be better imho.

diff -Nur /usr/share/shorewall/firewall /tmp/firewall
--- /usr/share/shorewall/firewall       2005-09-10 23:49:37.000000000 +0200
+++ /tmp/firewall       2005-09-13 08:45:22.000000000 +0200
@@ -477,11 +477,6 @@
    echo $(chain_base $1)_mac
 }

-macrecent_target() # $1 - interface
-{
-    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
-}
-
 #
 # Functions for creating dynamic zone rules
 #
@@ -507,6 +502,11 @@
    echo ${c}_dyni ${c}_dynf ${c}_dyno
 }

+macrecent_target() # $1 - interface
+{
+    [ -n "$MACLIST_TTL" ] && echo $(chain_base $1)_rec || echo RETURN
+}
+
 #
 # DNAT Chain from a zone
 #
@@ -2327,13 +2327,14 @@
     for interface in $maclist_interfaces; do
        chain=$(mac_chain $interface)
        createchain $chain no
-
+
        if [ -n "$MACLIST_TTL" ]; then
            chain1=$(macrecent_target $interface)
            createchain $chain1 no
-           run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL
--name $chain -j $chain1
-           run_iptables -A $chain1 -m recent --update                       
--name $chain -j ACCEPT
-           run_iptables -A $chain1 -m recent --set                          
--name $chain -j ACCEPT
+           run_iptables -A $chain  -m recent --rcheck --seconds $MACLIST_TTL
--name $chain -j RETURN
+           run_iptables -A $chain             -j $chain1
+           run_iptables -A $chain  -m recent --update                       
--name $chain -j RETURN
+           run_iptables -A $chain  -m recent --set                          
--name $chain
        fi
     done
     #
@@ -2353,8 +2354,7 @@
            esac
        fi

-       chain=$(mac_chain $interface)
-       chain1=$(macrecent_target $interface)
+       [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) ||
chain=$(mac_chain $interface)

        if ! havechain $chain ; then
            fatal_error "No hosts on $interface have the maclist option specified"
@@ -2363,10 +2363,10 @@
        macpart=$(mac_match $mac)

        if [ -z "$addresses" ]; then
-           run_iptables -A $chain $macpart $physdev_part -j $chain1
+           run_iptables -A $chain $macpart $physdev_part -j RETURN
        else
            for address in $(separate_list $addresses) ; do
-               run_iptables2 -A $chain $macpart -s $address $physdev_part -j
$chain1
+               run_iptables2 -A $chain $macpart -s $address $physdev_part -j RETURN
            done
        fi
     done < $TMP_DIR/maclist
@@ -2375,8 +2375,7 @@
     # chains
     #
     for interface in $maclist_interfaces; do
-       chain=$(mac_chain $interface)
-       chain1=$(macrecent_target $interface)
+       [ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) ||
chain=$(mac_chain $interface)

        blob=$(ip link show $interface 2> /dev/null)

@@ -2384,16 +2383,17 @@
            fatal_error "Interface $interface must be up before Shorewall can start"

        ip -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | sed
's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
+           address=${address%/*}
            if [ -n "$broadcast" ]; then
-               run_iptables -A $chain -s ${address%/*} -d $broadcast -j
$chain1+               run_iptables -A $chain -s $address -d $broadcast -j RETURN
            fi

-           run_iptables -A $chain -s $address -d 255.255.255.255 -j $chain1
-           run_iptables -A $chain -s $address -d 224.0.0.0/4     -j $chain1
+           run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
+           run_iptables -A $chain -s $address -d 224.0.0.0/4     -j RETURN
        done

        if [ -n "$MACLIST_LOG_LEVEL" ]; then
-           log_rule $MACLIST_LOG_LEVEL $chain $MACLIST_DISPOSITION
+           log_rule_limit $MACLIST_LOG_LEVEL $chain $(mac_chain $interface)
$MACLIST_DISPOSITION "$LOGLIMIT" "" -A
        fi

        run_iptables -A $chain -j $maclist_target
@@ -3193,7 +3193,7 @@
     [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=

     if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
-       startup_error "MACLIST_TTL requires the Recent Match capability which is
not present in your Kernel and/or iptables"
+       startup_error "MACLIST_TTL requires the Recent Match capability which is
not present in your Kernel and/or iptables"
     fi

     echo "Determining Zones..."
@@ -6402,7 +6402,7 @@
     [ "$MACLIST_TTL" = "0" ] && MACLIST_TTL=

     if [ -n "$MACLIST_TTL" -a -z "$RECENT_MATCH" ]; then
-       startup_error "MACLIST_TTL requires the Recent Match capability which is
not present in your Kernel and/or iptables"
+       startup_error "MACLIST_TTL requires the Recent Match capability which is
not present in your Kernel and/or iptables"
     fi

     [ -n "$RFC1918_STRICT" -a -z "$CONNTRACK_MATCH" ] && \
@@ -8190,8 +8190,11 @@
        case $MACLIST_DISPOSITION in
            REJECT)
                ;;
-           ACCEPT|DROP)
-               maclist_target=$MACLIST_DISPOSITION
+           DROP)
+               maclist_target=DROP
+               ;;
+           ACCEPT)
+               maclist_target=RETURN
                ;;
            *)
                startup_error "Invalid value ($MACLIST_DISPOSITION) for
MACLIST_DISPOSITION"
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-13 00:07:53 UTC
Reopening. Netmon please advise. 
Comment 16 Daniel Black (RETIRED) gentoo-dev 2005-09-13 02:17:15 UTC
Thanks Sebastian you're right. 2.4.1 isn't corrected.  
  
2.0.17, 2.2.6 and 2.4.2 added that correct the vulnerability.  
 
My sincere appoligies for stuffing this one up and not reading it right. 
 
Arch Testers please mark the following stable: 
2.0.17, 2.2.6 and 2.4.2 
 
FYI 2.4.4 is only a version bump and does not require any attention. 
 
the only difference between the now stable 2.4.2 and 2.4.1 is the patch in 
comment #14 and a few other comments in configuration files. 
 
Comment 17 Daniel Black (RETIRED) gentoo-dev 2005-09-13 02:47:53 UTC
Note  
  
2.0.17 2.2.6 are provided for backwards compatibility.  
Arch testers please remove 2.4.1 when finished.  
  
glsa notes going of last glsa:  
  
vulnerable versions:  
<2.0.17   
>=2.2.0- <=2.2.5  
>=2.4.0 - <=2.4.1  
  
unaffected:  
2.0.17  
2.2.6  
>=2.4.2  
 
(note I'm not sure what the current glsa specifications for good/bad versions 
are so this is fyi) 
  
Description:  
  
The default installation has MACLIST_DISPOSITION=REJECT and   
MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the  
settings in /etc/shorewall/shorewall.conf  
  
Impact:  
  
applies to female users too.  
  
previous GLSA workaround still valid.  
  
alternate workaround:  
  
download the the firewall script corresponding to your version  
http://www.shorewall.net/pub/shorewall/2.4/shorewall-2.4.1/errata/firewall  
http://slovakia.shorewall.net/pub/shorewall/2.2/shorewall-2.2.5/errata/firewall  
http://www.shorewall.net/pub/shorewall/errata/2.0.17/firewall  
and copy to /usr/share/shorewall/firewall  
  
resolution:  
  
same  
  
 
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2005-09-13 06:36:57 UTC
2.4.2 sparc stable.
Is there really a need to stable the old ones? Since they've been gone for some
time what b0rkage are we trying to avoid that's not already been done?
Comment 19 Daniel Black (RETIRED) gentoo-dev 2005-09-13 07:06:16 UTC
Good point. removed 2.0.17 and 2.2.6. I did see any upgrade guide in the 
documention that would make this too hard for users. 
 
Thanks Gustavo 
Comment 20 Simon Stelling (RETIRED) gentoo-dev 2005-09-13 09:04:05 UTC
2.4.2 stable on amd64
Comment 21 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-13 09:31:24 UTC
hppa stable
Comment 22 Daniel Black (RETIRED) gentoo-dev 2005-09-13 18:49:02 UTC
sparc happy - alpha to go. 
Comment 23 Fernando J. Pereda (RETIRED) gentoo-dev 2005-09-14 12:03:12 UTC
alphalized

Cheers,
Ferdy
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2005-09-14 12:17:52 UTC
Ready for GLSA ERRATA. Security please review updated draft. 
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-09-14 13:29:01 UTC
Draft looks OK.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 05:33:48 UTC
GLSA 200507-20 errata sent