CVE-2023-4809

In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/09/08/5	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/08/6	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/08/7	Mailing List Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc	Vendor Advisory
https://security.netapp.com/advisory/ntap-20231221-0009/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:freebsd:freebsd::::::::
	cpe:2.3:o:freebsd:freebsd::::::::
	cpe:2.3:o:freebsd:freebsd:12.4:-::::::
	cpe:2.3:o:freebsd:freebsd:12.4:p1::::::
	cpe:2.3:o:freebsd:freebsd:12.4:p2::::::
	cpe:2.3:o:freebsd:freebsd:12.4:p3::::::
	cpe:2.3:o:freebsd:freebsd:12.4:p4::::::
	cpe:2.3:o:freebsd:freebsd:12.4:rc2-p1::::::
	cpe:2.3:o:freebsd:freebsd:12.4:rc2-p2::::::
	cpe:2.3:o:freebsd:freebsd:13.2:-::::::
	cpe:2.3:o:freebsd:freebsd:13.2:p1::::::
	cpe:2.3:o:freebsd:freebsd:13.2:p2::::::

History

No history.

Information

Published : 2023-09-06 20:15

Updated : 2023-12-21 22:15

NVD link : CVE-2023-4809

Mitre link : CVE-2023-4809

CVE.ORG link : CVE-2023-4809

JSON object : View

Products Affected

freebsd

freebsd

CWE

NVD-CWE-Other CWE-167

Improper Handling of Additional Special Element

{"id": "CVE-2023-4809", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-09-06T20:15:08.080", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/09/08/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "secteam@freebsd.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/6", "tags": ["Mailing List", "Third Party Advisory"], "source": "secteam@freebsd.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/7", "tags": ["Mailing List", "Third Party Advisory"], "source": "secteam@freebsd.org"}, {"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc", "tags": ["Vendor Advisory"], "source": "secteam@freebsd.org"}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0009/", "source": "secteam@freebsd.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "secteam@freebsd.org", "description": [{"lang": "en", "value": "CWE-167"}]}], "descriptions": [{"lang": "en", "value": "In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.\n\n\n\n\nAs a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.\n\n"}, {"lang": "es", "value": "En el procesamiento de paquetes pf con una regla 'scrub fragment reassemble', un paquete que contenga m\u00faltiples encabezados de fragmentos IPv6 se reensamblar\u00eda y luego se procesar\u00eda inmediatamente. Es decir, un paquete con m\u00faltiples encabezados de extensi\u00f3n de fragmentos no ser\u00eda reconocido como el payload final correcto. En cambio, un paquete con m\u00faltiples encabezados de fragmentos IPv6 se interpretar\u00eda inesperadamente como un paquete fragmentado, en lugar de como cualquier payload real. Como resultado, los fragmentos de IPv6 pueden eludir las reglas del firewall escritas bajo el supuesto de que todos los fragmentos se han reensamblado y, como resultado, el host los reenv\u00eda o procesa."}], "lastModified": "2023-12-21T22:15:15.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7F6C8B0-9D75-476C-ADBA-754416FBC186", "versionEndExcluding": "12.4"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA49E374-9F1A-4F62-B88D-CD36EDEA6060", "versionEndExcluding": "13.2", "versionStartIncluding": "13.0"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24920B4D-96C0-401F-B679-BEB086760EAF"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CE32730-A9F5-4E8D-BDA4-6B8232F84787"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "552E81DE-D409-475F-8ED0-E10A0BE43D29"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "251CAE22-C3E6-45AD-8301-F36BEE5C6860"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85D94BCA-FA32-4C10-95CD-5D2A69B38A7A"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA821886-B26B-47A6-ABC9-B8F70CE0ACFB"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "220629AD-32CC-4303-86AE-1DD27F0E4C65"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A87EFA20-DD6B-41C5-98FD-A29F67D2E732"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2888B0C1-4D85-42EC-9696-03FAD0A9C28F"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3306F11-D3C0-41D6-BB5E-2ABDC3927715"}], "operator": "OR"}]}], "sourceIdentifier": "secteam@freebsd.org"}