FKIE_CVE-2023-4809

Vulnerability from fkie_nvd - Published: 2023-09-06 20:15 - Updated: 2025-02-13 18:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.
References
secteam@freebsd.orghttp://www.openwall.com/lists/oss-security/2023/09/08/5Mailing List, Third Party Advisory
secteam@freebsd.orghttp://www.openwall.com/lists/oss-security/2023/09/08/6Mailing List, Third Party Advisory
secteam@freebsd.orghttp://www.openwall.com/lists/oss-security/2023/09/08/7Mailing List, Third Party Advisory
secteam@freebsd.orghttps://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.ascVendor Advisory
secteam@freebsd.orghttps://security.netapp.com/advisory/ntap-20231221-0009/
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/09/08/5Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/09/08/6Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2023/09/08/7Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.ascVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20231221-0009/
Impacted products
Vendor Product Version
freebsd freebsd *
freebsd freebsd *
freebsd freebsd 12.4
freebsd freebsd 12.4
freebsd freebsd 12.4
freebsd freebsd 12.4
freebsd freebsd 12.4
freebsd freebsd 12.4
freebsd freebsd 12.4
freebsd freebsd 13.2
freebsd freebsd 13.2
freebsd freebsd 13.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A7F6C8B0-9D75-476C-ADBA-754416FBC186",
              "versionEndExcluding": "12.4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BA49E374-9F1A-4F62-B88D-CD36EDEA6060",
              "versionEndExcluding": "13.2",
              "versionStartIncluding": "13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:-:*:*:*:*:*:*",
              "matchCriteriaId": "24920B4D-96C0-401F-B679-BEB086760EAF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p1:*:*:*:*:*:*",
              "matchCriteriaId": "3CE32730-A9F5-4E8D-BDA4-6B8232F84787",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p2:*:*:*:*:*:*",
              "matchCriteriaId": "552E81DE-D409-475F-8ED0-E10A0BE43D29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p3:*:*:*:*:*:*",
              "matchCriteriaId": "251CAE22-C3E6-45AD-8301-F36BEE5C6860",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p4:*:*:*:*:*:*",
              "matchCriteriaId": "85D94BCA-FA32-4C10-95CD-5D2A69B38A7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p1:*:*:*:*:*:*",
              "matchCriteriaId": "BA821886-B26B-47A6-ABC9-B8F70CE0ACFB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p2:*:*:*:*:*:*",
              "matchCriteriaId": "220629AD-32CC-4303-86AE-1DD27F0E4C65",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "A87EFA20-DD6B-41C5-98FD-A29F67D2E732",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p1:*:*:*:*:*:*",
              "matchCriteriaId": "2888B0C1-4D85-42EC-9696-03FAD0A9C28F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p2:*:*:*:*:*:*",
              "matchCriteriaId": "A3306F11-D3C0-41D6-BB5E-2ABDC3927715",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In pf packet processing with a \u0027scrub fragment reassemble\u0027 rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed.  That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.\n\n\n\n\nAs a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host."
    },
    {
      "lang": "es",
      "value": "En el procesamiento de paquetes pf con una regla \u0027scrub fragment reassemble\u0027, un paquete que contenga m\u00faltiples encabezados de fragmentos IPv6 se reensamblar\u00eda y luego se procesar\u00eda inmediatamente. Es decir, un paquete con m\u00faltiples encabezados de extensi\u00f3n de fragmentos no ser\u00eda reconocido como el payload final correcto. En cambio, un paquete con m\u00faltiples encabezados de fragmentos IPv6 se interpretar\u00eda inesperadamente como un paquete fragmentado, en lugar de como cualquier payload real. Como resultado, los fragmentos de IPv6 pueden eludir las reglas del firewall escritas bajo el supuesto de que todos los fragmentos se han reensamblado y, como resultado, el host los reenv\u00eda o procesa."
    }
  ],
  "id": "CVE-2023-4809",
  "lastModified": "2025-02-13T18:15:47.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-06T20:15:08.080",
  "references": [
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/5"
    },
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/6"
    },
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/7"
    },
    {
      "source": "secteam@freebsd.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc"
    },
    {
      "source": "secteam@freebsd.org",
      "url": "https://security.netapp.com/advisory/ntap-20231221-0009/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2023/09/08/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20231221-0009/"
    }
  ],
  "sourceIdentifier": "secteam@freebsd.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-167"
        }
      ],
      "source": "secteam@freebsd.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.