Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Jun 2002 01:10:24 -0500 (CDT)
From:      Rich Neswold <rneswold@ameritech.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/39396: firewall security loophole
Message-ID:  <20020617061024.074F61A9E1@harpo.neswold.local>
next in thread | raw e-mail | index | archive | help 

>Number:         39396
>Category:       kern
>Synopsis:       firewall security loophole
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jun 16 23:20:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Rich Neswold
>Release:        FreeBSD 4.5-RC i386
>Organization:
>Environment:
System: FreeBSD harpo.neswold.local 4.5-RC FreeBSD 4.5-RC #1: Sun Jan 27 02:26:46 CST 2002 toor@groucho.neswold.local:/usr/obj/usr/src/sys/HARPO i386

>Description:

    If you use the FreeBSD firewall and set your kernel security level to 3 (so
    that firewall rules cannot be changed), a malicious user that gained root
    access can still circumvent the firewall by disabling it via kernel
    variables (i.e. net.inet.ip.fw.enable = 0)

>How-To-Repeat:

>Fix:

    The attached diffs change the firewall enable variable to have "secure"
    semantics.

Index: sys/netinet/ip_fw.c
===================================================================
RCS file: /home/FreeBSD/src/sys/netinet/ip_fw.c,v
retrieving revision 1.131.2.33
diff -u -w -b -r1.131.2.33 ip_fw.c
--- sys/netinet/ip_fw.c 1 May 2002 21:30:05 -0000       1.131.2.33
+++ sys/netinet/ip_fw.c 3 May 2002 16:49:02 -0000
@@ -95,7 +95,7 @@
 
 #ifdef SYSCTL_NODE
 SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
     &fw_enable, 0, "Enable ipfw");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW, 
     &fw_one_pass, 0, 


Index: sys/netinet6/ip6_fw.c
===================================================================
RCS file: /home/FreeBSD/src/sys/netinet6/ip6_fw.c,v
retrieving revision 1.2.2.9
diff -u -w -b -r1.2.2.9 ip6_fw.c
--- sys/netinet6/ip6_fw.c       28 Apr 2002 05:40:27 -0000      1.2.2.9
+++ sys/netinet6/ip6_fw.c       3 May 2002 16:49:05 -0000
@@ -116,7 +116,7 @@
 #ifdef SYSCTL_NODE
 SYSCTL_DECL(_net_inet6_ip6);
 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
-SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW,
+SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE,
        &ip6_fw_enable, 0, "Enable ip6fw");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, debug, CTLFLAG_RW, &fw6_debug, 0, "");
 SYSCTL_INT(_net_inet6_ip6_fw, OID_AUTO, verbose, CTLFLAG_RW, &fw6_verbose, 0, "");

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020617061024.074F61A9E1>