Vulnerabilities > CVE-2005-2317 - Unspecified vulnerability in Shorewall
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Shorewall 2.4.x before 2.4.1, 2.2.x before 2.2.5, and 2.0.x before 2.0.17, when MACLIST_TTL is greater than 0 or MACLIST_DISPOSITION is set to ACCEPT, allows remote attackers with an accepted MAC address to bypass other firewall rules or policies.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-849.NASL description 'Supernaut last seen 2020-06-01 modified 2020-06-02 plugin id 19957 published 2005-10-11 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19957 title Debian DSA-849-1 : shorewall - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-849. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(19957); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2005-2317"); script_xref(name:"DSA", value:"849"); script_name(english:"Debian DSA-849-1 : shorewall - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "'Supernaut' noticed that shorewall, the Shoreline Firewall, could generate an iptables configuration which is significantly more permissive than the rule set given in the shorewall configuration, if MAC verification are used in a non-default manner. When MACLIST_DISPOSITION is set to ACCEPT in the shorewall.conf file, all packets from hosts which fail the MAC verification pass through the firewall, without further checks. When MACLIST_TTL is set to a non-zero value, packets from hosts which pass the MAC verification pass through the firewall, again without further checks." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=318946" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-849" ); script_set_attribute( attribute:"solution", value: "Upgrade the shorewall package. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.2.3-2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:shorewall"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/11"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"shorewall", reference:"2.2.3-2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-197-1.NASL description A firewall bypass vulnerability has been found in shorewall. If MACLIST_TTL was set to a value greater than 0 or MACLIST_DISPOSITION was set to last seen 2020-06-01 modified 2020-06-02 plugin id 20611 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20611 title Ubuntu 4.10 / 5.04 : shorewall vulnerability (USN-197-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-197-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20611); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-2317"); script_xref(name:"USN", value:"197-1"); script_name(english:"Ubuntu 4.10 / 5.04 : shorewall vulnerability (USN-197-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "A firewall bypass vulnerability has been found in shorewall. If MACLIST_TTL was set to a value greater than 0 or MACLIST_DISPOSITION was set to 'ACCEPT' in /etc/shorewall/shorewall.conf, and a client was positively identified through its MAC address, that client bypassed all other policies/rules in place. This could allow external computers to get access to ports that are intended to be restricted by the firewall policy. Please note that this does not affect the default configuration, which does not enable MAC based client identification. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"solution", value:"Update the affected shorewall package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:shorewall"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"patch_publication_date", value:"2005/10/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"shorewall", pkgver:"2.0.2-4ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"shorewall", pkgver:"2.0.13-1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "shorewall"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200507-20.NASL description The remote host is affected by the vulnerability described in GLSA-200507-20 (Shorewall: Security policy bypass) Shorewall fails to enforce security policies if configured with last seen 2020-06-01 modified 2020-06-02 plugin id 19282 published 2005-07-22 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19282 title GLSA-200507-20 : Shorewall: Security policy bypass code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200507-20. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(19282); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-2317"); script_xref(name:"GLSA", value:"200507-20"); script_name(english:"GLSA-200507-20 : Shorewall: Security policy bypass"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200507-20 (Shorewall: Security policy bypass) Shorewall fails to enforce security policies if configured with 'MACLIST_DISPOSITION' set to 'ACCEPT' or 'MACLIST_TTL' set to a value greater or equal to 0. Impact : A client authenticated by MAC address filtering could bypass all security policies, possibly allowing him to gain access to restricted services. The default installation has MACLIST_DISPOSITION=REJECT and MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the settings in /etc/shorewall/shorewall.conf Workaround : Set 'MACLIST_TTL' to '0' and 'MACLIST_DISPOSITION' to 'REJECT' in the Shorewall configuration file (usually /etc/shorewall/shorewall.conf)." ); script_set_attribute( attribute:"see_also", value:"http://www.shorewall.net/News.htm#20050717" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200507-20" ); script_set_attribute( attribute:"solution", value: "All Shorewall users should upgrade to the latest available version: # emerge --sync # emerge --ask --oneshot --verbose net-firewall/shorewall" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:shorewall"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/22"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-firewall/shorewall", unaffected:make_list("ge 2.4.2"), vulnerable:make_list("le 2.4.1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Shorewall"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-123.NASL description A vulnerability was discovered in all versions of shorewall where a client accepted by MAC address filtering is able to bypass any other rule. If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to ACCEPT in shorewall.conf, and a client is positively identified through its MAC address, it bypasses all other policies and rules in place, gaining access to all open services on the firewall. Shorewall 2.0.17 is provided which fixes this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 19267 published 2005-07-21 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19267 title Mandrake Linux Security Advisory : shorewall (MDKSA-2005:123) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:123. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(19267); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2005-2317"); script_xref(name:"MDKSA", value:"2005:123"); script_name(english:"Mandrake Linux Security Advisory : shorewall (MDKSA-2005:123)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in all versions of shorewall where a client accepted by MAC address filtering is able to bypass any other rule. If MACLIST_TTL is set to a value greater than 0 or MACLIST_DISPOSITION is set to ACCEPT in shorewall.conf, and a client is positively identified through its MAC address, it bypasses all other policies and rules in place, gaining access to all open services on the firewall. Shorewall 2.0.17 is provided which fixes this issue." ); script_set_attribute( attribute:"see_also", value:"http://shorewall.net/News.htm#20050717" ); script_set_attribute( attribute:"solution", value:"Update the affected shorewall and / or shorewall-doc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:shorewall"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:shorewall-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:mandrakesoft:mandrake_linux:le2005"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"shorewall-2.0.17-1.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"shorewall-2.0.17-1.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"shorewall-doc-2.0.17-1.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"shorewall-doc-2.0.17-1.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"shorewall-2.0.17-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"shorewall-2.0.17-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"shorewall-doc-2.0.17-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", cpu:"x86_64", reference:"shorewall-doc-2.0.17-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"shorewall-2.0.17-1.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"shorewall-2.0.17-1.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", reference:"shorewall-doc-2.0.17-1.1.102mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.2", cpu:"x86_64", reference:"shorewall-doc-2.0.17-1.1.102mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://seclists.org/lists/fulldisclosure/2005/Jul/0409.html
- http://secunia.com/advisories/16087
- http://secunia.com/advisories/17110
- http://secunia.com/advisories/17113
- http://shorewall.net/News.htm#20050717
- http://www.debian.org/security/2005/dsa-849
- http://www.gentoo.org/security/en/glsa/glsa-200507-20.xml
- http://www.securityfocus.com/bid/14292
- http://www.ubuntu.com/usn/usn-197-1