[原文]ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection.
There exists a serious vulnerability in FreeBSD's implementation of packet filtering for IPv4 and IPv6.
The vulnerability exists in situations where a filtering rule permits packets through if they are part of an established connection.
It is possible for packets that are not part of an established connection to be allowed through. These packets must have the ECE flag set, which is in the TCP reserved options field.
Exploitation of this vulnerability may allow for unauthorized remote access to otherwise protected services.
Multiple BSD ipfw / ip6fw ECE Bit Filtering Evasion
Remote / Network Access
Loss of Integrity
FreeBSD and Mac OS X contain a flaw that may allow a malicious user to bypass a firewall. The issue is triggered when TCP packets with the ECE flag set are treated as being part of an already established TCP connection. It is possible that the flaw may allow a malicious user to bypass certain ipfw rules resulting in a loss of integrity.
Upgrade to version FreeBSD 3.5-STABLE, or 4.2-STABLE after the correction date, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): adjust the system's rulesets - express most 'established' rules in terms of a general TCP rule (with no TCP flag qualifications) and a 'setup' rule. Also, FreeBSD has released a patch.