Title: IPFilter Firewall Race Condition Vulnerability
Severity: HIGH
Description:
If IPFilter rulesets are constructed such that "return-rst" and "keep state" overlap, e.g.:
block return-rst in proto tcp from A to V
pass out proto tcp from V' to A' keep state
where A, A', V and V' are hostmasks that can include "any", and the attacker matches against A and A' and the victim matches against V and V', the attacker may exploit a race condition in the state table generation code that results from fr_addstate()'s fault of creating a new state entry for the outgoing RST packet generated by the "return-rst" rule. If a new SYN packet comes in before the state entry created by the RST expires, the state entry will allow the SYN packet to pass through the firewall, and the explicit permissiveness of a "pass out all keep state" or similar rules then allows the SYN-ACK and all successive ACK's to create new state entries. The attacker merely needs to ignore the RST's that are being sent to him and continue to attack the victim.
Affected Products:
- Darren Reed IPFilter 3.3.15
- Darren Reed IPFilter 3.4.3
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
