oss-sec mailing list archives
Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Fri, 8 Sep 2023 18:34:52 -0400
On Sat, Sep 09, 2023 at 12:12:31AM +0200, Alexander Bluhm wrote:
On Fri, Sep 08, 2023 at 07:48:21PM +0200, Enrico Bassetti wrote:A FreeBSD with `pf` as firewall for IPv6 traffic and `scrub` enabled to reassemble IPv6 fragments is vulnerable to an attack that uses a crafted packet posing as IPv6 "atomic" fragment to bypass the rules.I would like to mention that OpenBSD pf is not affected by the bug. As I am the original author of IPv6 fragment reassembly, I have just added a regression test to show that our pf drops such packets. https://cvsweb.openbsd.org/src/regress/sys/netinet6/frag6/frag6_doubleatomic.py This behavior seems to be present since 2013 when I added support for atomic fragments to pf. The relevant code is in OpenBSD pf_walk_header6() in pf.c. There a bunch of sanity checks are done for the IPv6 header chain resulting in packet drops. This function does not exist in FreeBSD. https://github.com/openbsd/src/blame/cc53a24ce58eb2212822060db742650de2787ee4/sys/net/pf.c#L7076
FreeBSD should include this in its pf, and probably adopt a bunch more changes from OpenBSD pf. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description:
Current thread:
- CVE-2023-4809: FreeBSD pf bypass when using IPv6 Enrico Bassetti (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Demi Marie Obenour (Sep 08)
- Re: CVE-2023-4809: FreeBSD pf bypass when using IPv6 Alexander Bluhm (Sep 08)