IP Filter Information for VU#328867

Multiple vendors' firewalls do not adequately keep state of FTP traffic

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

IPFilter FTP update.
====================

Synopsis: In kernel FTP proxy allows access to other ports on FTP server.

Versions affected: All prior to 3.4.29

Affected use: proxying to ftp servers.

Recommended Action: Upgrade to 3.4.29 if running a version prior and
                    using proxy function to provide FTP server access.
Details.
- --------
It is possible to fool the ftp proxy in earlier versions of IPFilter
into thinking that retransmitted text from the ftp server (or client)
is a new response and should be processed as such.

For people using the inbuilt proxy in the kernel to provide access to
ftp servers, this can be used to open up access to any port on the ftp
server.  For this to be a problem, your ftp server must respond in a
manner that essentially echoes, verbatim, text sent to it on the end
of a line.  See below for a list of known good/bad FTP daemons.  If
yours isn't known to be good or bad then you are best assuming that
it is bad.

Monitoring.
- -----------
If you cannot upgrade immediately, or would otherwise like to make sure
you can "keep tabs" on this problem, despite the state/nat table entries
not being created by a rule, they can still be logged.  If you are using
ipmon to record all log transactions (-a), its output will include NAT &
state table entries created to enable the rogue connection through.  If
you are not collecting log information on NAT or state transactions, you
can enable this by adding "-a" to ipmon's command line options at startup
or optionally, record this information to a separate file (with a
recommended separate .pid file) like this:

ipmon -P /var/run/ipmon-extra.pid -o NS /var/log/ipfnatstate

Workarounds.
- ------------
If you cannot upgrade IPFilter, you are advised to examine how your FTP
server software behaves.  Known safe FTP server software, in this regard
are:

+ ftpd in Sun Solaris/SunOS
+ ftpd in FreeBSD (upto and including 4.5)
+ ftpd in OpenBSD (upto and including 3.1)
+ wsftpd

FTP server software that is known to support this attack:

+ proftpd
+ warftpd
+ serv-u
+ pureftpd
+ publicfile
+ ftpd in NetBSD (upto and including 1.6)

Another safe work around is to use a user space ftp proxy, such as that
provided with the Firewall Toolkit.  Discussion on how to do this is
beyond the scope of this document.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (SunOS)

iD8DBQE9qaNYP7JIXtvLbFURAuB2AKCKJ0gWwEX3SnYMq/ZlEt8JcRABhACeJkvp
XRz08wWGODquWd6u3dJv7Zk=
=UuHZ
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

IP Filter (ipf) is included with FreeBSD and NetBSD, although ipfw is the somewhat more default firewall for FreeBSD. Please see:

  • OpenBSD vendor statement
    http://www.kb.cert.org/vuls/id/AAMN-5EQPEF
  • NetBSD vendor statement
    http://www.kb.cert.org/vuls/id/AAMN-5ERP4W

    If you have feedback, comments, or additional information about this vulnerability, please send us email.