IPFilter Fragment Rule Bypass Vulnerability

IPFilter is a packet filtering implementation that is in wide use on a variety of Unix systems.

There exists a vulnerability in IPFilter that can allow an attacker to communicate with blocked ports on hosts behind an IPFilter firewall.

The vulnerability is the result of IPFilter caching the decision to forward or drop a fragment, and applying this decision to other IP fragments with the same IP id. Even when a fragment is an 'initial' fragment (fragment with a fragment offset of 0) which may contain a TCP or UDP header, it will be evaluated based on the decision cache.

As a result, an attacker can establish a 'permit' decision cache in an IPFilter firewall and then successfully pass fragments with arbitrary UDP or TCP headers through the firewall bypassing the ruleset.


Privacy Statement
Copyright 2010, SecurityFocus