GLSA 200507-20: Shorewall: Security policy bypass
| Severity: | low |
| Title: | Shorewall: Security policy bypass |
| Date: | 07/22/2005 |
| Bugs: | |
| ID: | 200507-20 |
Synopsis
A vulnerability in Shorewall allows clients authenticated by MAC address filtering to bypass all other security rules.Background
Shorewall is a high level tool for configuring Netfilter, the firewall facility included in the Linux Kernel.
Affected packages
| Package | Vulnerable | Unaffected | Architecture(s) |
|---|---|---|---|
| net-firewall/shorewall | <= 2.4.1 | >= 2.4.2 | All supported architectures |
Description
Shorewall fails to enforce security policies if configured with "MACLIST_DISPOSITION" set to "ACCEPT" or "MACLIST_TTL" set to a value greater or equal to 0.
Impact
A client authenticated by MAC address filtering could bypass all security policies, possibly allowing him to gain access to restricted services. The default installation has MACLIST_DISPOSITION=REJECT and MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the settings in /etc/shorewall/shorewall.conf
Workaround
Set "MACLIST_TTL" to "0" and "MACLIST_DISPOSITION" to "REJECT" in the Shorewall configuration file (usually /etc/shorewall/shorewall.conf).
Resolution
All Shorewall users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose net-firewall/shorewall
References
Availability
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
License
Copyright 2010 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.