// For flags

CVE-2023-4809

pf incorrectly handles multiple IPv6 fragment headers

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.




As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.

En el procesamiento de paquetes pf con una regla 'scrub fragment reassemble', un paquete que contenga múltiples encabezados de fragmentos IPv6 se reensamblaría y luego se procesaría inmediatamente. Es decir, un paquete con múltiples encabezados de extensión de fragmentos no sería reconocido como el payload final correcto. En cambio, un paquete con múltiples encabezados de fragmentos IPv6 se interpretaría inesperadamente como un paquete fragmentado, en lugar de como cualquier payload real. Como resultado, los fragmentos de IPv6 pueden eludir las reglas del firewall escritas bajo el supuesto de que todos los fragmentos se han reensamblado y, como resultado, el host los reenvía o procesa.

*Credits: Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-09-06 CVE Reserved
  • 2023-09-06 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-09-12 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-167: Improper Handling of Additional Special Element
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
< 12.4
Search vendor "Freebsd" for product "Freebsd" and version " < 12.4"
-
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
>= 13.0 < 13.2
Search vendor "Freebsd" for product "Freebsd" and version " >= 13.0 < 13.2"
-
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
-
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
p1
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
p2
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
p3
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
p4
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
rc2-p1
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
12.4
Search vendor "Freebsd" for product "Freebsd" and version "12.4"
rc2-p2
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
13.2
Search vendor "Freebsd" for product "Freebsd" and version "13.2"
-
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
13.2
Search vendor "Freebsd" for product "Freebsd" and version "13.2"
p1
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
13.2
Search vendor "Freebsd" for product "Freebsd" and version "13.2"
p2
Affected