Re: Attack on badly configured Netfilter-based firewalls

[Eric Leblond <eric () regit org>]

Hello,

On Sun, 2012-02-26 at 12:17 -0700, Kurt Seifried wrote:
> On 02/25/2012 11:37 AM, Eric Leblond wrote:
> > Hello,
> >
> > I've discovered a generic attack on firewall using Application
> > Level Gateway (like Netfilter or Checkpoint).
> >
> > Impact: An attacker on a local network can open some pinholes in a
> > firewall which is not correctly protected.
>
> Are there any helpers that can be abused to open holes in the firewall
> externally, or is it only internal clients that can cause problems and
> trigger the firewall to improperly allow network traffic in/out.

No, attacker has to be on a network directly connected to the firewall.

> > Fix: None, the issue has to be fixed in the firewall
> > configuration. Workaround: Apply a strict anti-spoofing policy for
> > IPv4 and IPv6 as described in the document "Secure use of iptables
> > and connection tracking helpers" This document was written after
> > private disclosure of the attack to the Netfilter's team.
>
> Just to confirm: setting net.ipv4.conf.[IFNAME].rp_filter to 1 is
> sufficient, it doesn't need to be set globally as well?

It is sufficient for IPv4 but the feature is lacking on IPv6.

> > This attack will be presented at Cansecwest, March 9th 2012.
>
> I assume you won't be providing any specifics until this date?I can't
> assign CVE's without more information so I guess we both just have to
> wait.

This is a generic attack not related to any version of Netfilter. It
even works with badly configured Checkpoint firewall.

BR,
-- 
Eric Leblond 
Blog: http://home.regit.org/

Attachment: signature.asc
Description: This is a digitally signed message part