IPFilter Firewall Race Condition Vulnerability

Solution:
A patch has been made available for all versions of IPFilter that prevents fr_addstate() from creating a state entry when triggered by a RST packet. This patch has been incorporated into IPFilter releases 3.3.16 and 3.4.4.

If you are unable to patch your systems, remove all "return-rst" keywords or replace the rule which adds state for all outbound TCP packets:

pass out proto tcp ... keep state # No TCP flags matched upon!

with the following three rules:

pass out quick proto tcp ... flags R/R
pass out proto tcp ... flags AR/A keep state
pass out proto tcp ... flags S keep state

This will support the current behavior of allowing state to be created by connections which are already open as well as new connections, so long as at least the ACK bit is set in the TCP header. The use of the other rule, which matches all TCP packets, regardless of flag settings, is strongly discouraged.

If you use a single rule such as this:

pass out proto tcp/udp ... keep state

then you must replace it with these four rules:

pass out quick proto tcp ... flags R/R
pass out proto tcp ... flags AR/A keep state
pass out proto tcp ... flags S keep state
pass out proto udp ... keep state

The latest source releases of IPFilter can be obtained at: <http://coombs.anu.edu.au/~avalon/ip-filter.html>

In addition, FreeBSD, NetBSD, and OpenBSD contain IPFilter in their operating systems, and patches have been applied to the following: FreeBSD 3-stable, FreeBSD 4-stable, FreeBSD-current, NetBSD-current, and OpenBSD 2.7-current.

Errata patches will be available shortly for the following: NetBSD-1.4, OpenBSD 2.6-base, and OpenBSD 2.7-base



 

Privacy Statement
Copyright 2010, SecurityFocus