Re: TCP Connections to a Broadcast Address on BSD-Based Systems

From: David Maxwell (davidat_private)
Date: Thu Mar 21 2002 - 12:11:45 PST

Next message: sesserat_private: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"

Previous message: Rouland, Chris (ISSAtlanta): "RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances"
In reply to: Crist J. Clark: "TCP Connections to a Broadcast Address on BSD-Based Systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----


On Saturday, Mar 16th, Crist J. Clark sent a message to the bugtraq
list, with the subject 'TCP Connections to a Broadcast Address on
BSD-Based Systems'.

Foremost, the NetBSD Security-Officer Team would like to thank Crist for
following the bugtraq-recommended proceedure by contacting the affected
vendors and giving time to reply before posting. Crist's message did
start internal discussion about the issue, and vulnerability testing,
but unfortunately, we managed to fail to send Crist a reply. 

The NetBSD Security-Officer Team is putting additional tools in place to
track correspondence, and ensure that this does not happen again. Mail
sent to security-officerat_private should receive a human response
within 24 hours.

We will release a formal NetBSD Security Advisory for this issue. The
Advisory will preceed pullups of code to the NetBSD 1.4 and 1.5 release
branches, since a workaround is available without them. Connections to
broadcast addresses can be blocked with ipfilter rules, such as:

block in quick on fxp0 from any to 192.168.1.0/32
block in quick on fxp0 from any to 192.168.1.255/32

Use rules like these for the case where fxp0 is the interface you desire
to block on, and the only address on the interface is in the subnet
192.168.1.0/24. Rules like this should be repeated for each subnet on
the interface, for each interface of concern on the host.

Lastly, these rules are needed only on a host where it is intended that
a particular service is available on some interfaces and not others.
Where possible, use a daemon with the facility to bind only to specified
interfaces, and add filter rules as a second layer of protection, if
desired.

We recommend reviewing current filter rules to ensure they cover the
intended security model for the networks the host participates in.

					The NetBSD Security-Officer Team


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPJo+Hz5Ru2/4N2IFAQFpVQQApbm+4FZKvfmLtaQRv676D7vC/B5ryTVn
mnmixN8PmCmVr5596AiCYi3QOXQiV2ofsvNhcTyRqVgoDvcZVFeJBHHAvUqtdPCU
zckkQHscjePGf/xqGF3gf2EQYayGXtqphCuMHz75hQfXARjFCGEUVa4B8fpU5zrO
JdqB6u3oiiQ=
=4XfA
-----END PGP SIGNATURE-----

Next message: sesserat_private: "Re: move_uploaded_file breaks safe_mode restrictions in PHP"
Previous message: Rouland, Chris (ISSAtlanta): "RE: [VulnWatch] NMRC Advisory - KeyManager Issue in ISS RealSecur e on Nokia Appliances"
In reply to: Crist J. Clark: "TCP Connections to a Broadcast Address on BSD-Based Systems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 16:56:46 PST