diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc | 171 |
1 files changed, 171 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc new file mode 100644 index 0000000000..77b3701de3 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-23:06.ipv6.asc @@ -0,0 +1,171 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-23:06.ipv6 Security Advisory + The FreeBSD Project + +Topic: Remote denial of service in IPv6 fragment reassembly + +Category: core +Module: ipv6 +Announced: 2023-08-01 +Credits: Zweig of Kunlun Lab +Affects: All supported versions of FreeBSD +Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE) + 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2) + 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9) + 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE) + 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4) +CVE Name: CVE-2023-3107 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +IPv6 packets may be fragmented in order to accommodate the maximum +transmission unit (MTU) of the network path between the source and +destination hosts. The FreeBSD kernel keeps track of received packet +fragments and will reassemble the original packet once all fragments +have been received, at which point the packet is processed normally. + +II. Problem Description + +Each fragment of an IPv6 packet contains a fragment header which +specifies the offset of the fragment relative to the original packet, +and each fragment specifies its length in the IPv6 header. When +reassembling the packet, the kernel calculates the complete IPv6 payload +length. The payload length must fit into a 16-bit field in the IPv6 +header. + +Due to a bug in the kernel, a set of carefully crafted packets can +trigger an integer overflow in the calculation of the reassembled +packet's payload length field. + +III. Impact + +Once an IPv6 packet has been reassembled, the kernel continues +processing its contents. It does so assuming that the fragmentation +layer has validated all fields of the constructed IPv6 header. This bug +violates such assumptions and can be exploited to trigger a remote +kernel panic, resulting in a denial of service. + +IV. Workaround + +Users with IPv6 disabled on untrusted network interfaces are not +affected. Such interfaces will have the IFDISABLED nd6 flag set in +ifconfig(8). + +The kernel may be configured to drop all IPv6 fragments by setting the +net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from +being triggered, with the caveat that legitimate IPv6 fragments will +be dropped. + +If the pf(4) firewall is enabled, and scrubbing and fragment reassembly +is enabled on untrusted interfaces, the bug cannot be triggered. This +is the default if pf(4) is enabled. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date and +reboot. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch +# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc +# gpg --verify ipv6.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the +system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ 9515f04fe3b1 stable/13-n255919 +releng/13.2/ da38eaca4a22 releng/13.2-n254626 +releng/13.1/ 4e548c72914a releng/13.1-n250191 +stable/12/ r373149 +releng/12.4/ r373152 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3107> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A +Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu +vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst +OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn +E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r +mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66 +4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/ +dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF +ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0 +mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD +oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ +QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c= +=V/jE +-----END PGP SIGNATURE----- |