OpenBSD Information for VU#328867
Multiple vendors' firewalls do not adequately keep state of FTP traffic
This says OpenBSD, but should not. The problem is in ipf. We told our users for years and years to not use the ipf ftp proxy. That said, we do not have ipf anymore. We've got our own packet filter, pf, which has a userland side proxy agent which is not vulnerable to this at all.
I didn't install an ipf machine, but from looking at the code, I'm pretty sure it's vulnerable to this attack. So I guess the vendor statement could mention that and urge people to upgrade from pre-3.0 versions :) pf is not vulnerable, since it's not aware of the FTP protocol. ftp-proxy is used only for FTP clients behind the firewall. Even if you're running the reverse-ftp-proxy patch (for servers behind pf), it's not vulnerable, since it can't modify pf rules.
OpenBSD >=3.0 uses pf, these notes do not apply to OpenBSD up to 2.9 which used ipf.
In the presence of fragments, it is impossible to fully check the transport checksum without full reassembly (which is also susceptible to a memory resource attack). The OpenBSD PF firewall includes a variety of mechanisms that each can minimize the exposure to not only this attack but a variety of resource starvation attacks:
- The use of the normalizer via a SCRUB rule can resolve many ambiguities in the traffic stream. The normalized traffic results in the identical interpretation of the packet from the end host and the firewall.
- A dynamically resizeable state table which can be tuned during runtime (within the constraints of kernel memory). ipf, which was included up to OpenBSD 2.9, was vulnerable to this attack.
- A choice of several predefined state optimization levels. By enabling the 'Aggressive' state optimization, idle states will be removed from the state table at a much higher rate.
- Run-time control over individual timeouts. The administrator can reduce the 'tcp.first' and the 'udp.first' timeouts to as low as her environment deems acceptable (reducing it below 30s may result in additional log entries as valid connections will start to be expired before the reception of the SYN-ACK).
- The upcoming OpenBSD 3.2 supports the specification of individual timeouts and the limitation of the quantity of states on a per rule granularity. Thus the administrator can limit her overall exposure to a resource starvation attack down to other connections which match the same rule as the attack.
- connection tracking can be enabled or disabled on a per-rule basis, and thus is of course disableable (sp?) completely, too.
For ftp, we have an userland ftp-proxy(8) daemon that is not vulnerable to any of these attacks for the obvious reasons. ipf, which was included up to OpenBSD 2.9, contains a in-kernel ftp proxy which is significantly flawed in this way. However, we did not compile that into the default system because we considered it so flawed.
The vendor has not provided us with any further information regarding this vulnerability.
Versions of OpenBSD prior to 3.0 included IP Filter. See also:
- IP Filter vendor statement
If you have feedback, comments, or additional information about this vulnerability, please send us email.