oss-sec mailing list archives
Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6
From: Alexander Bluhm <alexander.bluhm () gmx net>
Date: Sat, 9 Sep 2023 00:12:31 +0200
On Fri, Sep 08, 2023 at 07:48:21PM +0200, Enrico Bassetti wrote:
A FreeBSD with `pf` as firewall for IPv6 traffic and `scrub` enabled to reassemble IPv6 fragments is vulnerable to an attack that uses a crafted packet posing as IPv6 "atomic" fragment to bypass the rules.
I would like to mention that OpenBSD pf is not affected by the bug. As I am the original author of IPv6 fragment reassembly, I have just added a regression test to show that our pf drops such packets. https://cvsweb.openbsd.org/src/regress/sys/netinet6/frag6/frag6_doubleatomic.py This behavior seems to be present since 2013 when I added support for atomic fragments to pf. The relevant code is in OpenBSD pf_walk_header6() in pf.c. There a bunch of sanity checks are done for the IPv6 header chain resulting in packet drops. This function does not exist in FreeBSD. https://github.com/openbsd/src/blame/cc53a24ce58eb2212822060db742650de2787ee4/sys/net/pf.c#L7076 bluhm
Attachment:
signature.asc
Description:
Current thread:
- CVE-2023-4809: FreeBSD pf bypass when using IPv6 Enrico Bassetti (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Demi Marie Obenour (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)