7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.5%
Shorewall is a high level tool for configuring Netfilter, the firewall facility included in the Linux Kernel.
Shorewall fails to enforce security policies if configured with “MACLIST_DISPOSITION” set to “ACCEPT” or “MACLIST_TTL” set to a value greater or equal to 0.
A client authenticated by MAC address filtering could bypass all security policies, possibly allowing him to gain access to restricted services. The default installation has MACLIST_DISPOSITION=REJECT and MACLIST_TTL=(blank) (equivalent to 0). This can be checked by looking at the settings in /etc/shorewall/shorewall.conf
Set “MACLIST_TTL” to “0” and “MACLIST_DISPOSITION” to “REJECT” in the Shorewall configuration file (usually /etc/shorewall/shorewall.conf).
All Shorewall users should upgrade to the latest available version:
# emerge --sync
# emerge --ask --oneshot --verbose net-firewall/shorewall
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | net-firewall/shorewall | <= 2.4.1 | UNKNOWN |