oss-sec mailing list archives

Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6

From: Alexander Bluhm <alexander.bluhm () gmx net>
Date: Sat, 9 Sep 2023 00:12:31 +0200

On Fri, Sep 08, 2023 at 07:48:21PM +0200, Enrico Bassetti wrote:

A FreeBSD with `pf` as firewall for IPv6 traffic and `scrub` enabled to 
reassemble IPv6 fragments is vulnerable to an attack that uses a crafted 
packet posing as IPv6 "atomic" fragment to bypass the rules.


I would like to mention that OpenBSD pf is not affected by the bug.
As I am the original author of IPv6 fragment reassembly, I have
just added a regression test to show that our pf drops such packets.

https://cvsweb.openbsd.org/src/regress/sys/netinet6/frag6/frag6_doubleatomic.py

This behavior seems to be present since 2013 when I added support
for atomic fragments to pf.  The relevant code is in OpenBSD
pf_walk_header6() in pf.c.  There a bunch of sanity checks are done
for the IPv6 header chain resulting in packet drops.  This function
does not exist in FreeBSD.

https://github.com/openbsd/src/blame/cc53a24ce58eb2212822060db742650de2787ee4/sys/net/pf.c#L7076

bluhm

Attachment: signature.asc
Description:

Current thread:

CVE-2023-4809: FreeBSD pf bypass when using IPv6 Enrico Bassetti (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)
  - Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Demi Marie Obenour (Sep 08)