发布时间 :2001-03-26 00:00:00
修订时间 :2008-09-10 15:07:23

[原文]ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection.

[CNNVD]FreeBSD ipfw和ip6fw访问限制绕过漏洞(CNNVD-200103-103)

        FreeBSD 4.2及其之前版本的ipfw和ip6fw存在漏洞。远程攻击者可以通过设置TCP数据包的ECE标志绕过访问限制,该漏洞导致此数据包作为已建立连接的一部分显示出来。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:4.2FreeBSD 4.2
cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/o:freebsd:freebsd:3.4FreeBSD 3.4
cpe:/o:freebsd:freebsd:4.1.1FreeBSD 4.1.1
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0
cpe:/o:freebsd:freebsd:3.5.1FreeBSD 3.5.1
cpe:/o:freebsd:freebsd:3.5FreeBSD 3.5
cpe:/o:freebsd:freebsd:3.3FreeBSD 3.3
cpe:/o:freebsd:freebsd:4.0FreeBSD 4.0
cpe:/o:freebsd:freebsd:4.1FreeBSD 4.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  ipfw-bypass-firewall(5998)
(UNKNOWN)  BUGTRAQ  20010125 ecepass - proof of concept code for FreeBSD ipfw bypass

- 漏洞信息

FreeBSD ipfw和ip6fw访问限制绕过漏洞
高危 未知
2001-03-26 00:00:00 2005-05-02 00:00:00
        FreeBSD 4.2及其之前版本的ipfw和ip6fw存在漏洞。远程攻击者可以通过设置TCP数据包的ECE标志绕过访问限制,该漏洞导致此数据包作为已建立连接的一部分显示出来。

- 公告与补丁


- 漏洞信息 (20593)

FreeBSD 3.x/4.x ipfw Filtering Evasion Vulnerability (EDBID:20593)
freebsd remote
2001-01-23 Verified
0 Aragon Gouveia
N/A [点击下载]

There exists a serious vulnerability in FreeBSD's implementation of packet filtering for IPv4 and IPv6.

The vulnerability exists in situations where a filtering rule permits packets through if they are part of an established connection.

It is possible for packets that are not part of an established connection to be allowed through. These packets must have the ECE flag set, which is in the TCP reserved options field.

Exploitation of this vulnerability may allow for unauthorized remote access to otherwise protected services.		

- 漏洞信息

Multiple BSD ipfw / ip6fw ECE Bit Filtering Evasion
Remote / Network Access Input Manipulation, Misconfiguration
Loss of Integrity
Exploit Public

- 漏洞描述

FreeBSD and Mac OS X contain a flaw that may allow a malicious user to bypass a firewall. The issue is triggered when TCP packets with the ECE flag set are treated as being part of an already established TCP connection. It is possible that the flaw may allow a malicious user to bypass certain ipfw rules resulting in a loss of integrity.

- 时间线

2001-01-23 Unknow
2001-01-25 Unknow

- 解决方案

Upgrade to version FreeBSD 3.5-STABLE, or 4.2-STABLE after the correction date, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): adjust the system's rulesets - express most 'established' rules in terms of a general TCP rule (with no TCP flag qualifications) and a 'setup' rule. Also, FreeBSD has released a patch.

- 相关参考

- 漏洞作者