NetBSD Information for VU#328867

Multiple vendors' firewalls do not adequately keep state of FTP traffic

Status

Affected

Vendor Statement

I've done some more testing of the proxy and have come to the conclusion that whilst the proxy in ipfilter currently shipped may be vulnerable to the attack described by cert, I don't have an FTP daemon which responds in a manner that makes the attack possible. I've tested against Solaris, SunOS4 and NetBSD. The proxy in 3.4.29 drops the packets that cause the problem with this exploit.

I've tested IPFilter 3.4.27 (same as in -current and is scheduled for 1.6). Whilst this version does allow the sel-ack'd 227 back through, it does not appear to create the necessary state/nat sessions to allow the second data connection through.

In short, IPFilter 3.4.27 does not appear to be vulnerable to *this* exploit. It may be possible to write others which are, but the FTP proxy in IPFilter will progressively become stricter in what it allows, further narrowing opportunities to exploit it in this kind of manner (as can already be seen with 3.4.29.)

[Darren Reed]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

NetBSD includes IP Filter. Please see:

  • NetBSD Security Advisory 2002-024:
    ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-024.txt.asc
  • OpenBSD vendor statement:
    http://www.kb.cert.org/vuls/id/AAMN-5EQPEF
  • IP Filter vendor statement:
    http://www.kb.cert.org/vuls/id/AAMN-5ERQF6

    If you have feedback, comments, or additional information about this vulnerability, please send us email.