NetBSD Security Advisory 2002-024: IPFilter FTP proxy (fwd)

[Darren Reed <avalon () coombs anu edu au>]

Various people's tried very hard to get me to comment directly on what
is essentially the subject of this email below.  As much as I may have
been able to do that, it is improper of me to do so out of turn and is
better when things such as this go through the correct channels.  If I
do not respect that then it does little to engender further cooperation
and that helps nobody in the long run.

Darren

Forwarded message:
> To: bugtraq () securityfocus com
> From: NetBSD Security Officer <security-officer () netbsd org>
> Organisation: The NetBSD Foundation, Inc.
> Reply-To: NetBSD Security Officer <security-officer () netbsd org>
> Subject: NetBSD Security Advisory 2002-024: IPFilter FTP proxy
> Date: Tue, 05 Nov 2002 08:36:15 +0900
> Sender: itojun () itojun org
> Message-Id: <20021104233616.F0DE97B9 () starfruit itojun org>
> X-OriginalArrivalTime: 03 Nov 2002 23:41:14.0062 (UTC) FILETIME=[7F193EE0:01C28392]
> Content-Length: 5398
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
>                NetBSD Security Advisory 2002-024
>                =================================
>
> Topic:                IPFilter FTP proxy
>
> Version:      NetBSD-current: source prior to September 20, 2002
>               NetBSD 1.6:     affected
>               NetBSD-1.5.3:   affected
>               NetBSD-1.5.2:   affected
>               NetBSD-1.5.1:   affected
>               NetBSD-1.5:     affected
>
> Severity:     Unexpected TCP session establishment by malicious remote input
>
> Fixed:                NetBSD-current:         September 20, 2002
>               NetBSD-1.6 branch:      October 25, 2002
>               NetBSD-1.5 branch:      October 19, 2002
>
>
> Abstract
> ========
>
> FTP proxy module in IPFilter package may not adequately maintain the
> state of FTP commands and responses. As a result, an attacker could
> establish arbitrary TCP connections to FTP servers or clients located
> behind a vulnerable firewall.
>
>
> Technical Details
> =================
>
> http://www.kb.cert.org/vuls/id/328867
>
>
> Solutions and Workarounds
> =========================
>
> The IPFilter package, which is shipped with NetBSD, prior to 3.4.29
> includes the vulnerable FTP proxy module.
>
> Systems enabling both IPFilter and its FTP module are vulnerable.
> IPFilter and the FTP proxy module are not enabled by default.
> Therefore, the default installation of NetBSD is not vulnerable to
> this attack.
>
> Quick workaround:
> Disable FTP proxy module in IP NAT configuration file by removing
> or commenting out the line which includes both "proxy" and "ftp/".
> The default location of the configuration file is /etc/ipnat.conf.
>
> Solution:
> Upgrade of the kernel as well as IPFilter-related userland tools.
>
> The following instructions describe how to upgrade your kernel and IPFilter-
> related binaries by updating your source tree and rebuilding and
> installing a new version.
>
> * NetBSD-current:
>
>       Systems running NetBSD-current dated from before 2002-09-20
>       should be upgraded to NetBSD-current dated 2002-09-20 or later.
>
>       The following directories need to be updated from the
>       netbsd-current CVS branch (aka HEAD):
>               dist/ipf
>               regress/sys/kern/ipf
>               sys/lkm/netinet/if_ipl
>               sys/netinet
>               usr.sbin/ipf
>
>       Update the source files:
>               # cd src
>               # cvs update -d -P dist/ipf
>               # cvs update -d -P regress/sys/kern/ipf
>               # cvs update -d -P sys/lkm/netinet/if_ipl
>               # cvs update -d -P sys/netinet
>               # cvs update -d -P usr.sbin/ipf
>
>       Install the updated include files:
>               # cd src/sys
>               # make includes
>
>       Rebuild the userland tools:
>               # cd src/usr.sbin/ipf
>               # make cleandir dependall
>               # make install
>
>       Rebuild the LKM:
>               # cd src/sys/lkm/netinet
>               # make cleandir dependall
>               # make install
>
>       Rebuild the kernel and reboot:
>               # cd src/sys/ARCH/conf
>               # config FILENAME
>               # cd ../compile/FILENAME
>               # make dependall install
>
>
> * NetBSD 1.6:
>
>       Systems running NetBSD 1.6 dated from before 2002-10-25
>       should be upgraded to NetBSD 1.6 dated 2002-10-25 or later.
>
>       The following directories need to be updated from the
>       netbsd-1-6 CVS branch:
>               dist/ipf
>               regress/sys/kern/ipf
>               sys/lkm/netinet/if_ipl
>               sys/netinet
>               usr.sbin/ipf
>
>       Update the source files:
>               # cd src
>               # cvs update -d -P -r netbsd-1-6 dist/ipf
>               # cvs update -d -P -r netbsd-1-6 regress/sys/kern/ipf
>               # cvs update -d -P -r netbsd-1-6 sys/lkm/netinet/if_ipl
>               # cvs update -d -P -r netbsd-1-6 sys/netinet
>               # cvs update -d -P -r netbsd-1-6 usr.sbin/ipf
>
>       Install the updated include files:
>               # cd src/sys
>               # make includes
>
>       Rebuild the userland tools:
>               # cd src/usr.sbin/ipf
>               # make cleandir dependall
>               # make install
>
>       Rebuild the LKM:
>               # cd src/sys/lkm/netinet
>               # make cleandir dependall
>               # make install
>
>       Rebuild the kernel and reboot:
>               # cd src/sys/ARCH/conf
>               # config FILENAME
>               # cd ../compile/FILENAME
>               # make dependall install
>
>
> * NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:
>
>       Systems running NetBSD 1.5 dated from before 2002-10-19
>       should be upgraded to NetBSD 1.5 dated 2002-10-19 or later.
>
>       The following directories need to be updated from the
>       netbsd-1-5 CVS branch:
>               dist/ipf
>               sys/netinet
>               usr.sbin/ipf
>
>       Update the source files:
>               # cd src
>               # cvs update -d -P -r netbsd-1-5 dist/ipf
>               # cvs update -d -P -r netbsd-1-5 usr.sbin/ipf
>               # cvs update -d -P -r netbsd-1-5 sys/netinet
>
>       Install the updated include files:
>               # cd src/sys
>               # make includes
>
>       Rebuild the userland tools:
>               # cd src/usr.sbin/ipf
>               # make cleandir dependall
>               # make install
>
>       Rebuild the LKM:
>               # cd src/sys/lkm/netinet
>               # make cleandir dependall
>               # make install
>
>       Rebuild the kernel and reboot:
>               # cd src/sys/ARCH/conf
>               # config FILENAME
>               # cd ../compile/FILENAME
>               # make dependall install
>
>
> Thanks To
> =========
>
> Darren Reed
> Martti Kuparinen
>
> Revision History
> ================
>
>       2002-11-04      Initial release
>
>
> More Information
> ================
>
> Advisories may be updated as new information comes to hand.  The most
> recent version of this advisory (PGP signed) can be found at 
>   ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-024.txt.asc
>
> Information about NetBSD and NetBSD security can be found at
> http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
>
>
> Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.
>
> $NetBSD: NetBSD-SA2002-024.txt,v 1.15 2002/11/04 23:10:47 itojun Exp $
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQCVAwUBPcb+VD5Ru2/4N2IFAQH++AP+NvptGVWKPhU1T9Ag31towbcsmzm+gqx9
> chjZ+8JUV9cYfcv4aK0ZO8YVpKb3tP99ql+IVkzaOJxMnfayNydA/4FQv8sxta/y
> Hpcr2lkZASIBeDkD4dS1J4bh6dMFOyq1tEKpgsKSz8Cd9cot/uJy0kE99EOhPM4G
> 9RbCB7VSs/g=
> =rk6g
> -----END PGP SIGNATURE-----

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards