FreeBSD and Mac OS X contain a flaw that may allow a malicious user to bypass a firewall. The issue is triggered when TCP packets with the ECE flag set are treated as being part of an already established TCP connection. It is possible that the flaw may allow a malicious user to bypass certain ipfw rules resulting in a loss of integrity.

Upgrade to version FreeBSD 3.5-STABLE, or 4.2-STABLE after the correction date, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): adjust the system's rulesets - express most 'established' rules in terms of a general TCP rule (with no TCP flag qualifications) and a 'setup' rule. Also, FreeBSD has released a patch.

• CVE ID: 2001-0183 (see also: NVD)
• Exploit Database: 20593
• Bugtraq ID: 2293
• ISS X-Force ID: 5998
• Vendor Specific Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:08.ipfw.asc
• Mail List Post: http://cert.uni-stuttgart.de/archive/bugtraq/2001/01/msg00435.html
• Vendor URL: http://www.freebsd.org
• Generic Exploit URL: http://www.securityfocus.com/data/vulnerabilities/exploits/ecepass.tgz
• CIAC Advisory: L-029

• Aragon Gouveia - aragonphat.za.net -