Firewall Wizards mailing list archives
NetBSD Security Advisory 2002-024: IPFilter FTP proxy (fwd)
From: Darren Reed <avalon () coombs anu edu au>
Date: Sat, 9 Nov 2002 22:16:01 +1100 (Australia/ACT)
Various people's tried very hard to get me to comment directly on what is essentially the subject of this email below. As much as I may have been able to do that, it is improper of me to do so out of turn and is better when things such as this go through the correct channels. If I do not respect that then it does little to engender further cooperation and that helps nobody in the long run. Darren Forwarded message:
To: bugtraq () securityfocus com From: NetBSD Security Officer <security-officer () netbsd org> Organisation: The NetBSD Foundation, Inc. Reply-To: NetBSD Security Officer <security-officer () netbsd org> Subject: NetBSD Security Advisory 2002-024: IPFilter FTP proxy Date: Tue, 05 Nov 2002 08:36:15 +0900 Sender: itojun () itojun org Message-Id: <20021104233616.F0DE97B9 () starfruit itojun org> X-OriginalArrivalTime: 03 Nov 2002 23:41:14.0062 (UTC) FILETIME=[7F193EE0:01C28392] Content-Length: 5398 -----BEGIN PGP SIGNED MESSAGE----- NetBSD Security Advisory 2002-024 ================================= Topic: IPFilter FTP proxy Version: NetBSD-current: source prior to September 20, 2002 NetBSD 1.6: affected NetBSD-1.5.3: affected NetBSD-1.5.2: affected NetBSD-1.5.1: affected NetBSD-1.5: affected Severity: Unexpected TCP session establishment by malicious remote input Fixed: NetBSD-current: September 20, 2002 NetBSD-1.6 branch: October 25, 2002 NetBSD-1.5 branch: October 19, 2002 Abstract ======== FTP proxy module in IPFilter package may not adequately maintain the state of FTP commands and responses. As a result, an attacker could establish arbitrary TCP connections to FTP servers or clients located behind a vulnerable firewall. Technical Details ================= http://www.kb.cert.org/vuls/id/328867 Solutions and Workarounds ========================= The IPFilter package, which is shipped with NetBSD, prior to 3.4.29 includes the vulnerable FTP proxy module. Systems enabling both IPFilter and its FTP module are vulnerable. IPFilter and the FTP proxy module are not enabled by default. Therefore, the default installation of NetBSD is not vulnerable to this attack. Quick workaround: Disable FTP proxy module in IP NAT configuration file by removing or commenting out the line which includes both "proxy" and "ftp/". The default location of the configuration file is /etc/ipnat.conf. Solution: Upgrade of the kernel as well as IPFilter-related userland tools. The following instructions describe how to upgrade your kernel and IPFilter- related binaries by updating your source tree and rebuilding and installing a new version. * NetBSD-current: Systems running NetBSD-current dated from before 2002-09-20 should be upgraded to NetBSD-current dated 2002-09-20 or later. The following directories need to be updated from the netbsd-current CVS branch (aka HEAD): dist/ipf regress/sys/kern/ipf sys/lkm/netinet/if_ipl sys/netinet usr.sbin/ipf Update the source files: # cd src # cvs update -d -P dist/ipf # cvs update -d -P regress/sys/kern/ipf # cvs update -d -P sys/lkm/netinet/if_ipl # cvs update -d -P sys/netinet # cvs update -d -P usr.sbin/ipf Install the updated include files: # cd src/sys # make includes Rebuild the userland tools: # cd src/usr.sbin/ipf # make cleandir dependall # make install Rebuild the LKM: # cd src/sys/lkm/netinet # make cleandir dependall # make install Rebuild the kernel and reboot: # cd src/sys/ARCH/conf # config FILENAME # cd ../compile/FILENAME # make dependall install * NetBSD 1.6: Systems running NetBSD 1.6 dated from before 2002-10-25 should be upgraded to NetBSD 1.6 dated 2002-10-25 or later. The following directories need to be updated from the netbsd-1-6 CVS branch: dist/ipf regress/sys/kern/ipf sys/lkm/netinet/if_ipl sys/netinet usr.sbin/ipf Update the source files: # cd src # cvs update -d -P -r netbsd-1-6 dist/ipf # cvs update -d -P -r netbsd-1-6 regress/sys/kern/ipf # cvs update -d -P -r netbsd-1-6 sys/lkm/netinet/if_ipl # cvs update -d -P -r netbsd-1-6 sys/netinet # cvs update -d -P -r netbsd-1-6 usr.sbin/ipf Install the updated include files: # cd src/sys # make includes Rebuild the userland tools: # cd src/usr.sbin/ipf # make cleandir dependall # make install Rebuild the LKM: # cd src/sys/lkm/netinet # make cleandir dependall # make install Rebuild the kernel and reboot: # cd src/sys/ARCH/conf # config FILENAME # cd ../compile/FILENAME # make dependall install * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3: Systems running NetBSD 1.5 dated from before 2002-10-19 should be upgraded to NetBSD 1.5 dated 2002-10-19 or later. The following directories need to be updated from the netbsd-1-5 CVS branch: dist/ipf sys/netinet usr.sbin/ipf Update the source files: # cd src # cvs update -d -P -r netbsd-1-5 dist/ipf # cvs update -d -P -r netbsd-1-5 usr.sbin/ipf # cvs update -d -P -r netbsd-1-5 sys/netinet Install the updated include files: # cd src/sys # make includes Rebuild the userland tools: # cd src/usr.sbin/ipf # make cleandir dependall # make install Rebuild the LKM: # cd src/sys/lkm/netinet # make cleandir dependall # make install Rebuild the kernel and reboot: # cd src/sys/ARCH/conf # config FILENAME # cd ../compile/FILENAME # make dependall install Thanks To ========= Darren Reed Martti Kuparinen Revision History ================ 2002-11-04 Initial release More Information ================ Advisories may be updated as new information comes to hand. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-024.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/. Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved. $NetBSD: NetBSD-SA2002-024.txt,v 1.15 2002/11/04 23:10:47 itojun Exp $ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBPcb+VD5Ru2/4N2IFAQH++AP+NvptGVWKPhU1T9Ag31towbcsmzm+gqx9 chjZ+8JUV9cYfcv4aK0ZO8YVpKb3tP99ql+IVkzaOJxMnfayNydA/4FQv8sxta/y Hpcr2lkZASIBeDkD4dS1J4bh6dMFOyq1tEKpgsKSz8Cd9cot/uJy0kE99EOhPM4G 9RbCB7VSs/g= =rk6g -----END PGP SIGNATURE-----
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- NetBSD Security Advisory 2002-024: IPFilter FTP proxy (fwd) Darren Reed (Nov 09)