Shorewall: Security policy bypass — GLSA 200507-20

A vulnerability in Shorewall allows clients authenticated by MAC address filtering to bypass all other security rules.

Affected packages

net-firewall/shorewall on all architectures
Affected versions <= 2.4.1
Unaffected versions >= 2.4.2

Background

Shorewall is a high level tool for configuring Netfilter, the firewall facility included in the Linux Kernel.

Description

Shorewall fails to enforce security policies if configured with "MACLIST_DISPOSITION" set to "ACCEPT" or "MACLIST_TTL" set to a value greater or equal to 0.

Impact

A client authenticated by MAC address filtering could bypass all security policies, possibly allowing him to gain access to restricted services. The default installation has MACLIST_DISPOSITION=REJECT and MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the settings in /etc/shorewall/shorewall.conf

Workaround

Set "MACLIST_TTL" to "0" and "MACLIST_DISPOSITION" to "REJECT" in the Shorewall configuration file (usually /etc/shorewall/shorewall.conf).

Resolution

All Shorewall users should upgrade to the latest available version:

 # emerge --sync
 # emerge --ask --oneshot --verbose net-firewall/shorewall

References

Release date
July 22, 2005

Latest revision
September 14, 2005: 02

Severity
low

Exploitable
remote

Bugzilla entries