CVE-2005-2317
CVSS7.5
发布时间 :2005-07-19 00:00:00
修订时间 :2008-09-05 16:51:27
NMCOPS    

[原文]Shorewall 2.4.x before 2.4.1, 2.2.x before 2.2.5, and 2.0.x before 2.0.17, when MACLIST_TTL is greater than 0 or MACLIST_DISPOSITION is set to ACCEPT, allows remote attackers with an accepted MAC address to bypass other firewall rules or policies.


[CNNVD]Shorewall MACLIST 防火墙安全规则绕过漏洞 (CNNVD-200507-222)

        Shorewall是一个开源的linux系统防火墙配置工具。
        Shorewall 2.4.1之前的2.4.x版本、2.2.5之前的2.2.x版本以及2.0.17之前的2.4.x版本存在安全限制绕过漏洞。
        在MACLIST_TTL大于0或MACLIST_DISPOSITION设置为ACCEPT时,远程攻击者可以使用规则内MAC地址,绕过防火墙的其他规则或策略。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:shorewall:shorewall:2.0.2c
cpe:/a:shorewall:shorewall:2.0.3
cpe:/a:shorewall:shorewall:2.0.3c
cpe:/a:shorewall:shorewall:2.0.2
cpe:/a:shorewall:shorewall:2.0.2d
cpe:/a:shorewall:shorewall:2.0.15
cpe:/a:shorewall:shorewall:2.0.0b
cpe:/a:shorewall:shorewall:2.0.2e
cpe:/a:shorewall:shorewall:2.0.2b
cpe:/a:shorewall:shorewall:2.0.1
cpe:/a:shorewall:shorewall:2.4.0_rc2
cpe:/a:shorewall:shorewall:2.4.0
cpe:/a:shorewall:shorewall:2.0.6
cpe:/a:shorewall:shorewall:2.0.5
cpe:/a:shorewall:shorewall:2.0.4
cpe:/a:shorewall:shorewall:2.2.0
cpe:/a:shorewall:shorewall:2.0.2a
cpe:/a:shorewall:shorewall:2.0.2f
cpe:/a:shorewall:shorewall:2.2.1
cpe:/a:shorewall:shorewall:2.0.3a
cpe:/a:shorewall:shorewall:2.2.3
cpe:/a:shorewall:shorewall:2.0.11
cpe:/a:shorewall:shorewall:2.2.2
cpe:/a:shorewall:shorewall:2.0.9
cpe:/a:shorewall:shorewall:2.0.7
cpe:/a:shorewall:shorewall:2.0.13
cpe:/a:shorewall:shorewall:2.4.0_rc1
cpe:/a:shorewall:shorewall:2.0.0
cpe:/a:shorewall:shorewall:2.0.12
cpe:/a:shorewall:shorewall:2.2.4
cpe:/a:shorewall:shorewall:2.0.10
cpe:/a:shorewall:shorewall:2.0.14
cpe:/a:shorewall:shorewall:2.0.8
cpe:/a:shorewall:shorewall:2.0.0a
cpe:/a:shorewall:shorewall:2.0.3b
cpe:/a:shorewall:shorewall:2.0.16

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2317
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2317
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-222
(官方数据源) CNNVD

- 其它链接及资源

http://shorewall.net/News.htm#20050717
(VENDOR_ADVISORY)  CONFIRM  http://shorewall.net/News.htm#20050717
http://secunia.com/advisories/16087
(VENDOR_ADVISORY)  SECUNIA  16087
http://seclists.org/lists/fulldisclosure/2005/Jul/0409.html
(VENDOR_ADVISORY)  FULLDISC  20050718 Shorewall MACLIST Problem
http://www.ubuntu.com/usn/usn-197-1
(UNKNOWN)  UBUNTU  USN-197-1
http://www.securityfocus.com/bid/14292
(UNKNOWN)  BID  14292
http://www.gentoo.org/security/en/glsa/glsa-200507-20.xml
(UNKNOWN)  GENTOO  GLSA-200507-20
http://www.debian.org/security/2005/dsa-849
(UNKNOWN)  DEBIAN  DSA-849
http://secunia.com/advisories/17113
(UNKNOWN)  SECUNIA  17113
http://secunia.com/advisories/17110
(UNKNOWN)  SECUNIA  17110

- 漏洞信息

Shorewall MACLIST 防火墙安全规则绕过漏洞
高危 设计错误
2005-07-19 00:00:00 2005-10-20 00:00:00
远程  
        Shorewall是一个开源的linux系统防火墙配置工具。
        Shorewall 2.4.1之前的2.4.x版本、2.2.5之前的2.2.x版本以及2.0.17之前的2.4.x版本存在安全限制绕过漏洞。
        在MACLIST_TTL大于0或MACLIST_DISPOSITION设置为ACCEPT时,远程攻击者可以使用规则内MAC地址,绕过防火墙的其他规则或策略。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://shorewall.net/

- 漏洞信息 (F40521)

Debian Linux Security Advisory 849-1 (PacketStormID:F40521)
2005-10-08 00:00:00
Debian  security.debian.org
advisory
linux,debian
CVE-2005-2317
[点击下载]

Debian Security Advisory DSA 849-1 - Supernaut noticed that shorewall, the Shoreline Firewall, could generate an iptables configuration which is significantly more permissive than the rule set given in the shorewall configuration, if MAC verification are used in a non-default manner.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 849-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 8th, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : shorewall
Vulnerability  : programming error
Problem type   : remote
Debian-specific: no
CVE ID         : CAN-2005-2317
Debian Bug     : 318946

"Supernaut" noticed that shorewall, the Shoreline Firewall, could
generate an iptables configuration which is significantly more
permissive than the rule set given in the shorewall configuration, if
MAC verification are used in a non-default manner.

When MACLIST_DISPOSITION is set to ACCEPT in the shorewall.conf file,
all packets from hosts which fail the MAC verification pass through
the firewall, without further checks.  When MACLIST_TTL is set to a
non-zero value, packets from hosts which pass the MAC verification
pass through the firewall, again without further checks.

The old stable distribution (woody) is not affected by this problem.

For the stable distribution (sarge) this problem has been fixed in
version 2.2.3-2.

For the unstable distribution (sid) this problem has been fixed in
version 2.4.1-2.

We recommend that you upgrade your shorewall package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/shorewall/shorewall_2.2.3-2.dsc
      Size/MD5 checksum:      656 a280401e705da1a93b31e2b0d6abafb9
    http://security.debian.org/pool/updates/main/s/shorewall/shorewall_2.2.3-2.diff.gz
      Size/MD5 checksum:    34181 e6d35af167daece754b263fb77285960
    http://security.debian.org/pool/updates/main/s/shorewall/shorewall_2.2.3.orig.tar.gz
      Size/MD5 checksum:   126841 df114b25a419d77915598de5844b423e

  Architecture independent components:

    http://security.debian.org/pool/updates/main/s/shorewall/shorewall_2.2.3-2_all.deb
      Size/MD5 checksum:   151538 556f925a3f6393e1b7376686c1796d89


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDR5nHW5ql+IAeqTIRAlKBAKCnMfGjSq8CcDcjfJB+vHSmnV4YZACeJ5I/
pNMrZKZVwbw6enWPJFNsSco=
=Nfxd
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F38840)

Gentoo Linux Security Advisory 200507-20 (PacketStormID:F38840)
2005-07-22 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2005-2317
[点击下载]

Gentoo Linux Security Advisory GLSA 200507-20 - Shorewall fails to enforce security policies if configured with MACLIST_DISPOSITION set to ACCEPT or MACLIST_TTL set to a value greater or equal to 0. Versions less than 2.4.1 are affected.

--nextPart1129576.uHdl6B9Hbn
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200507-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: Shorewall: Security policy bypass
      Date: July 22, 2005
      Bugs: #99398
        ID: 200507-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in Shorewall allows clients authenticated by MAC
address filtering to bypass all other security rules.

Background
==========

Shorewall is a high level tool for configuring Netfilter, the firewall
facility included in the Linux Kernel.

Affected packages
=================

    -------------------------------------------------------------------
     Package                 /  Vulnerable  /               Unaffected
    -------------------------------------------------------------------
  1  net-firewall/shorewall       < 2.4.1                    *>= 2.2.5
                                                              >= 2.4.1

Description
===========

Shorewall fails to enforce security policies if configured with
"MACLIST_DISPOSITION" set to "ACCEPT" or "MACLIST_TTL" set to a value
greater or equal to 0.

Impact
======

A client authenticated by MAC address filtering could bypass all
security policies, possibly allowing him to gain access to restricted
services.

Workaround
==========

Set "MACLIST_TTL" to "0" and "MACLIST_DISPOSITION" to "REJECT" in the
Shorewall configuration file (usually /etc/shorewall/shorewall.conf).

Resolution
==========

All Shorewall users should upgrade to the latest available version:

    # emerge --sync
    # emerge --ask --oneshot --verbose net-firewall/shorewall

References
==========

  [ 1 ] CAN-2005-2317
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2317
  [ 2 ] Shorewall Announcement
        http://www.shorewall.net/News.htm#20050717

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200507-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

--nextPart1129576.uHdl6B9Hbn
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBC4IW/zKC5hMHO6rkRAg9nAJ9D7fLyJ3ayYym9NOykE5IXscp/CwCaAvUk
XfUt1IaoVdVbgp1/+g4cr5I=
=fqFC
-----END PGP SIGNATURE-----

--nextPart1129576.uHdl6B9Hbn--
    

- 漏洞信息

18005
Shorewall MACLIST_TTL Authenticated User Ruleset Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-07-17 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Shorewall MACLIST Firewall Rules Bypass Vulnerability
Design Error 14292
Yes No
2005-07-18 12:00:00 2009-07-12 04:06:00
Supernaut <supernaut@ns.sympatico.ca> reported this vulnerability to the vendor.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Shorewall Shorewall 2.4.1
Shorewall Shorewall 2.4 .0
Shorewall Shorewall 2.2.5
Shorewall Shorewall 2.2.4
Shorewall Shorewall 2.2.3
Shorewall Shorewall 2.2.2
Shorewall Shorewall 2.2.1
Shorewall Shorewall 2.2 .0
Shorewall Shorewall 2.0.17
Shorewall Shorewall 2.0.16
Shorewall Shorewall 2.0.15
Shorewall Shorewall 2.0.14
Shorewall Shorewall 2.0.13
Shorewall Shorewall 2.0.12
Shorewall Shorewall 2.0.11
Shorewall Shorewall 2.0.10
Shorewall Shorewall 2.0.9
Shorewall Shorewall 2.0.8
Shorewall Shorewall 2.0.7
Shorewall Shorewall 2.0.6
Shorewall Shorewall 2.0.5
Shorewall Shorewall 2.0.4
Shorewall Shorewall 2.0.3 c
Shorewall Shorewall 2.0.3 b
Shorewall Shorewall 2.0.3 a
Shorewall Shorewall 2.0.3
Shorewall Shorewall 2.0.2
Shorewall Shorewall 2.0.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
Shorewall Shorewall 2.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Shorewall Shorewall 2.4.2
+ Gentoo Linux

- 不受影响的程序版本

Shorewall Shorewall 2.4.2
+ Gentoo Linux

- 漏洞讨论

Shorewall is susceptible to a firewall rules bypass vulnerability. This issue is due to a failure of the software to properly implement expected firewall rules for MAC address-based filtering.

This issue arrises when 'MACLIST_TTL' is greater than 0, or 'MACLIST_DISPOSITION' is configured as 'ACCEPT'.

This vulnerability allows attackers to bypass firewall rules, letting them attack protected services and computers without further restriction.

This also issue leads to a false sense of security by firewall administrators.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has provided replacement script files to address this issue. Shorewall 2.4.2 also addresses the issue.

Mandriva advisory MDKSA-2005:123 is available to address this issue. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA 200507-20:02 to address this issue. Users of affected packages are urged to execute the following with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose net-firewall/shorewall

Please see the referenced advisory for further information.

Debian GNU/Linux has released advisory DSA 849-1, along with fixes to address this issue. Please see the referenced advisory for further information.

Ubuntu has released advisory USN-197-1 to address this issue. Please see the referenced advisory for more information.


Shorewall Shorewall 2.0

Shorewall Shorewall 2.0.1

Shorewall Shorewall 2.0.10

Shorewall Shorewall 2.0.11

Shorewall Shorewall 2.0.12

Shorewall Shorewall 2.0.13

Shorewall Shorewall 2.0.14

Shorewall Shorewall 2.0.15

Shorewall Shorewall 2.0.16

Shorewall Shorewall 2.0.17

Shorewall Shorewall 2.0.2

Shorewall Shorewall 2.0.3 b

Shorewall Shorewall 2.0.3 c

Shorewall Shorewall 2.0.3

Shorewall Shorewall 2.0.3 a

Shorewall Shorewall 2.0.4

Shorewall Shorewall 2.0.5

Shorewall Shorewall 2.0.6

Shorewall Shorewall 2.0.7

Shorewall Shorewall 2.0.8

Shorewall Shorewall 2.0.9

Shorewall Shorewall 2.2 .0

Shorewall Shorewall 2.2.1

Shorewall Shorewall 2.2.2

Shorewall Shorewall 2.2.3

Shorewall Shorewall 2.2.4

Shorewall Shorewall 2.2.5

Shorewall Shorewall 2.4 .0

Shorewall Shorewall 2.4.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站