-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:53 Security Advisory FreeBSD, Inc. Topic: ipfw `me' on P2P interfaces matches remote address Category: core Module: ipfw Announced: 2001-08-17 Credits: Igor M Podlesny Affects: FreeBSD 4-STABLE after February 20, 2001 and prior to the correction date FreeBSD 4.3-RELEASE Corrected: 2001-07-17 10:50:01 UTC (FreeBSD 4.3-STABLE) 2001-07-18 06:56:23 UTC (RELENG_4_3) FreeBSD only: YES I. Background ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ipfw `me' rules are filter rules that specify a source or destination address of `me', intended to match any IP address configured on a local interface. II. Problem Description A flaw in the implementation of the ipfw `me' rules when used in conjunction with point-to-point interfaces results in filter rules which match the remote IP address of the point-to-point interface in addition to the intended local IP address. III. Impact IP datagrams with a source or destination IP address of a remote point-to-point link may be handled in a way unintended by the system administrator. For example, given an interface such as tun0: flags=8051 mtu 1500 inet 1.1.1.1 --> 2.2.2.2 netmask 0xff000000 and this ipfw rule: 00010 allow ip from me to any packets with a source address of 2.2.2.2 would be allowed to pass when the administrator may have reasonably expected it not to match this rule. IV. Workaround Do not use ipfw `me' rules. Rewrite any existing `me' rules to use explicit IP addresses. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:53/ipfw.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:53/ipfw.patch.asc # cd /usr/src # patch -p < /path/to/patch # install -c -m 0444 -o root -g wheel /usr/src/sys/netinet/in_var.h /usr/include/netinet/ # cd /usr/src/sbin/ipfw # make depend && make all install The following steps will be different depending upon whether your system has ipfw compiled into the kernel or is using the ipfw KLD. If the output of `kldstat' includes `ipfw.ko', then you are using the KLD and should follow the directions listed in (2a) below. Otherwise, if your kernel configuration file contains the line `options IPFIREWALL', you should follow the directions listed in (2b) below. 2a) Execute the following commands as root: # cd /usr/src/sys/modules/ipfw # make depend && make all install 2b) Rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html In either case 2a) or 2b), you must reboot your system to load the new module or kernel. 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:53/security-patch-ipfw-01.53.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:53/security-patch-ipfw-01.53.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-ipfw-01:53.tgz Restart your system after applying the patch. VI. Correction details The following list contains the $FreeBSD$ revision numbers of each file that was corrected, for the supported branches of FreeBSD. The $FreeBSD$ revision of installed sources can be examined using the ident(1) command. [FreeBSD 4.3-STABLE] Revision Path 1.33.4.1 src/sys/netinet/in_var.h [RELENG_4_3] Revision Path 1.33.2.2 src/sys/netinet/in_var.h VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO32OK1UuHi5z0oilAQGFaAQAoeOYBYHehpMs28K1K4BKneLF4/KBfel/ NGmGslQVe4DHxiIfV2WWyQw1KjH/N8NSOiBsri8+pMZkFaOyBw1Q41vUCd+2pZW1 97qYWj6aWjIlpNm9/zOPnWN6smge4OZ7UCqX1+VsP6nf8VBrEfOYl44hl82oCMk9 S9NvqSOqDsI= =HqMM -----END PGP SIGNATURE-----