• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: FreeBSD ipfw Filtering Evasion Vulnerability

Severity: MODERATE

Description:

FreeBSD, like many other modern operating systems, ships with a packet filtering system built into the kernel.

A vulnerability in this system has been uncovered that may allow attackers to evade certain rules. It has to do with FreeBSD's interpretation of the ECE flag in the TCP header.

The ECE flag is an experimental extension to TCP, and is part of TCP's reserved options. Its purpose is for notification of network congestion.

When the packet filter examines TCP packets that have this ECE flag set, it interprets them as being part of an established TCP connection. Thus if a filtering rule exists that permits packets belonging to an established connection, these packets will qualify and be let through.

Attackers could use this vulnerability to circumvent firewall rules. Packets could be constructed so that the ECE flag is set for outgoing traffic and establish connections with services behind the firewall. Under normal circumstances, packets would only be recieved by these services if a TCP connection had already been established.

Vulnerable services to be protected by this rule will be exposed to possibly hostile external networks.

Affected Products:

• Apple Mac OS X 10.1.0
• FreeBSD FreeBSD 3.0.0
• FreeBSD FreeBSD 3.1.0
• FreeBSD FreeBSD 3.3.0
• FreeBSD FreeBSD 3.4.0
• FreeBSD FreeBSD 3.5.0
• FreeBSD FreeBSD 3.5.1
• FreeBSD FreeBSD 4.0.0
• FreeBSD FreeBSD 4.0.0 alpha
• FreeBSD FreeBSD 4.1.0
• FreeBSD FreeBSD 4.1.1
• FreeBSD FreeBSD 4.2.0

References:

• FreeBSD: FreeBSD Security Information

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.