Bernardo Pons <master@atlas-iap.es> wrote: > bugtraq id 3162: "When more than one remote node filtering rule is > applied, the first filtering rule is the only one that takes effect." > Although bugtraq id 3162 reports that ZyXel released a firmware update > 2.50(AL.1) to fix this vulnerability for the Prestige 642 routers it > seems this bug is still present in new firmware versions. To the best of my knowledge, BID 3162 is not accurate. I was not even aware of that BID until now. It seems that SecurityFocus staff do not always read BugTraq as thoroughly as they should :-> As Peter Gutmann first pointed out in the discussion about BID 3161 in [1], it is not a flaw in the firmware, but simply a misconfiguration of the filter rules you chain together. The preconfigured rules are _not_ configured to be chained together. This flaw can be considered to consist of both a not too bright default configuration, and a somewhat misleading filtering concept which is underdocumented. But it is not a bug in the firmware. > This configuration has been tested and still has the bug. Are you definately, positively sure that you did configure the filter rules to chain correctly? Only the last one may allow a packet, all previous filter rules must pass packets on to the next rule (or drop them, of course). If the first rule allows a packet through, the second rule never gets to see the packet. > -- > Bernardo Pons BTW, your sig-dashes seem to be missing the required trailing space. Cheers, Dan [1] http://online.securityfocus.com/archive/1/203313 -- Daniel Roethlisberger <daniel@roe.ch>
