1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • FreeBSD Security Advisory FreeBSD-SA-23:06.ipv6

    From FreeBSD Security Advisories@21:1/5 to All on Wed Aug 2 17:00:05 2023
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-SA-23:06.ipv6 Security Advisory
    The FreeBSD Project

    Topic: Remote denial of service in IPv6 fragment reassembly

    Category: core
    Module: ipv6
    Announced: 2023-08-01
    Credits: Zweig of Kunlun Lab
    Affects: All supported versions of FreeBSD
    Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE)
    2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2)
    2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9)
    2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE)
    2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4)
    CVE Name: CVE-2023-3107

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    IPv6 packets may be fragmented in order to accommodate the maximum
    transmission unit (MTU) of the network path between the source and
    destination hosts. The FreeBSD kernel keeps track of received packet
    fragments and will reassemble the original packet once all fragments
    have been received, at which point the packet is processed normally.

    II. Problem Description

    Each fragment of an IPv6 packet contains a fragment header which
    specifies the offset of the fragment relative to the original packet,
    and each fragment specifies its length in the IPv6 header. When
    reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6
    header.

    Due to a bug in the kernel, a set of carefully crafted packets can
    trigger an integer overflow in the calculation of the reassembled
    packet's payload length field.

    III. Impact

    Once an IPv6 packet has been reassembled, the kernel continues
    processing its contents. It does so assuming that the fragmentation
    layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote
    kernel panic, resulting in a denial of service.

    IV. Workaround

    Users with IPv6 disabled on untrusted network interfaces are not
    affected. Such interfaces will have the IFDISABLED nd6 flag set in ifconfig(8).

    The kernel may be configured to drop all IPv6 fragments by setting the net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from
    being triggered, with the caveat that legitimate IPv6 fragments will
    be dropped.

    If the pf(4) firewall is enabled, and scrubbing and fragment reassembly
    is enabled on untrusted interfaces, the bug cannot be triggered. This
    is the default if pf(4) is enabled.

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date and
    reboot.

    Perform one of the following:

    1) To update your vulnerable system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the amd64, i386, or
    (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install
    # shutdown -r +10min "Rebooting for a security update"

    2) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch
    # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc
    # gpg --verify ipv6.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
    system.

    VI. Correction details

    This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- stable/13/ 9515f04fe3b1 stable/13-n255919 releng/13.2/ da38eaca4a22 releng/13.2-n254626 releng/13.1/ 4e548c72914a releng/13.1-n250191 stable/12/ r373149 releng/12.4/ r373152
    - -------------------------------------------------------------------------

    For FreeBSD 13 and later:

    Run the following command to see which files were modified by a
    particular commit:

    # git show --stat <commit hash>

    Or visit the following URL, replacing NNNNNN with the hash:

    <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

    To determine the commit count in a working tree (for comparison against
    nNNNNNN in the table above), run:

    # git rev-list --count --first-parent HEAD

    For FreeBSD 12 and earlier:

    Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number:

    # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

    Or visit the following URL, replacing NNNNNN with the revision number:

    <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

    VII. References

    <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3107>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc> -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66 4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/ dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0 mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c=
    =V/jE
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)