NetBSD Security Advisory 2002-024: IPFilter FTP proxy

From: NetBSD Security Officer (security-officerat_private)
Date: Mon Nov 04 2002 - 15:36:15 PST

  • Next message: deadbeatat_private: "Oracle iSQL*Plus buffer Overflow.." 

    -----BEGIN PGP SIGNED MESSAGE-----


		 NetBSD Security Advisory 2002-024
		 =================================

Topic:		IPFilter FTP proxy

Version:	NetBSD-current:	source prior to September 20, 2002
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected

Severity:	Unexpected TCP session establishment by malicious remote input

Fixed:		NetBSD-current:		September 20, 2002
		NetBSD-1.6 branch:	October 25, 2002
		NetBSD-1.5 branch:	October 19, 2002


Abstract
========

FTP proxy module in IPFilter package may not adequately maintain the
state of FTP commands and responses. As a result, an attacker could
establish arbitrary TCP connections to FTP servers or clients located
behind a vulnerable firewall.


Technical Details
=================

http://www.kb.cert.org/vuls/id/328867


Solutions and Workarounds
=========================

The IPFilter package, which is shipped with NetBSD, prior to 3.4.29
includes the vulnerable FTP proxy module.

Systems enabling both IPFilter and its FTP module are vulnerable.
IPFilter and the FTP proxy module are not enabled by default.
Therefore, the default installation of NetBSD is not vulnerable to
this attack.

Quick workaround:
Disable FTP proxy module in IP NAT configuration file by removing
or commenting out the line which includes both "proxy" and "ftp/".
The default location of the configuration file is /etc/ipnat.conf.

Solution:
Upgrade of the kernel as well as IPFilter-related userland tools.

The following instructions describe how to upgrade your kernel and IPFilter-
related binaries by updating your source tree and rebuilding and
installing a new version.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2002-09-20
	should be upgraded to NetBSD-current dated 2002-09-20 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		dist/ipf
		regress/sys/kern/ipf
		sys/lkm/netinet/if_ipl
		sys/netinet
		usr.sbin/ipf

	Update the source files:
		# cd src
		# cvs update -d -P dist/ipf
		# cvs update -d -P regress/sys/kern/ipf
		# cvs update -d -P sys/lkm/netinet/if_ipl
		# cvs update -d -P sys/netinet
		# cvs update -d -P usr.sbin/ipf

	Install the updated include files:
		# cd src/sys
		# make includes

	Rebuild the userland tools:
		# cd src/usr.sbin/ipf
		# make cleandir dependall
		# make install

	Rebuild the LKM:
		# cd src/sys/lkm/netinet
		# make cleandir dependall
		# make install

	Rebuild the kernel and reboot:
		# cd src/sys/ARCH/conf
		# config FILENAME
		# cd ../compile/FILENAME
		# make dependall install


* NetBSD 1.6:

	Systems running NetBSD 1.6 dated from before 2002-10-25
	should be upgraded to NetBSD 1.6 dated 2002-10-25 or later.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		dist/ipf
		regress/sys/kern/ipf
		sys/lkm/netinet/if_ipl
		sys/netinet
		usr.sbin/ipf

	Update the source files:
		# cd src
		# cvs update -d -P -r netbsd-1-6 dist/ipf
		# cvs update -d -P -r netbsd-1-6 regress/sys/kern/ipf
		# cvs update -d -P -r netbsd-1-6 sys/lkm/netinet/if_ipl
		# cvs update -d -P -r netbsd-1-6 sys/netinet
		# cvs update -d -P -r netbsd-1-6 usr.sbin/ipf

	Install the updated include files:
		# cd src/sys
		# make includes

	Rebuild the userland tools:
		# cd src/usr.sbin/ipf
		# make cleandir dependall
		# make install

	Rebuild the LKM:
		# cd src/sys/lkm/netinet
		# make cleandir dependall
		# make install

	Rebuild the kernel and reboot:
		# cd src/sys/ARCH/conf
		# config FILENAME
		# cd ../compile/FILENAME
		# make dependall install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	Systems running NetBSD 1.5 dated from before 2002-10-19
	should be upgraded to NetBSD 1.5 dated 2002-10-19 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		dist/ipf
		sys/netinet
		usr.sbin/ipf

	Update the source files:
		# cd src
		# cvs update -d -P -r netbsd-1-5 dist/ipf
		# cvs update -d -P -r netbsd-1-5 usr.sbin/ipf
		# cvs update -d -P -r netbsd-1-5 sys/netinet

	Install the updated include files:
		# cd src/sys
		# make includes

	Rebuild the userland tools:
		# cd src/usr.sbin/ipf
		# make cleandir dependall
		# make install

	Rebuild the LKM:
		# cd src/sys/lkm/netinet
		# make cleandir dependall
		# make install

	Rebuild the kernel and reboot:
		# cd src/sys/ARCH/conf
		# config FILENAME
		# cd ../compile/FILENAME
		# make dependall install


Thanks To
=========

Darren Reed
Martti Kuparinen

Revision History
================

	2002-11-04	Initial release


More Information
================

Advisories may be updated as new information comes to hand.  The most
recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-024.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2002, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2002-024.txt,v 1.15 2002/11/04 23:10:47 itojun Exp $


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPcb+VD5Ru2/4N2IFAQH++AP+NvptGVWKPhU1T9Ag31towbcsmzm+gqx9
chjZ+8JUV9cYfcv4aK0ZO8YVpKb3tP99ql+IVkzaOJxMnfayNydA/4FQv8sxta/y
Hpcr2lkZASIBeDkD4dS1J4bh6dMFOyq1tEKpgsKSz8Cd9cot/uJy0kE99EOhPM4G
9RbCB7VSs/g=
=rk6g
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 06:07:36 PST