From nobody Tue Dec 05 22:15:27 2023 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SlFGR6XsKz53WcN for ; Tue, 5 Dec 2023 22:15:27 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SlFGR5xVVz4bxj; Tue, 5 Dec 2023 22:15:27 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701814527; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=QdFn04QaMFZNyH0Y8HhHV2atxf6Ylu2aTgG0F2nnsBs=; b=WoYtLI3es8YyIAo2OC6TznzfKSeVSP//Ml9xoCgNuqRjO4SprhDc9M9OvvAXahQlERsb9x tkje6B0A7QV2KYykKqV2Tj0wPgwJrWFz72iKg5HRnC7Ca0N3UQNdjHwP8/B9VelMsVH3ZL uh7NLS+xgWUYPYVYkDzgtcMUXemXoXSxymECCIy9DC50mRbtbWa1NXBGJVdBiH0NG+mP8p vuOYnCOsTtkEdA2u03VHBrAcrDlPiw/2cqmfL6jtDWezy2QqNMRVEQ8U8yc+B/MEUnTzMk 8LDznK7y5VDFswW1j5ZTq2wM23ddJIOHAgSamoW/AvnrLxLNNM6vxzC5mflxUQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1701814527; a=rsa-sha256; cv=none; b=WPYRhR8KjmRWu6Nq9PcPK+d3Ad74ZZaJGMeZMsG5Cd1XdZvQQXglQF/yncdzcbbNzM8WWB SPw/mawYFAY+bxMxOAfemlOQY0hLoU5k6ABM+4PPrMOX4YWILYKshdmrZb9HUzS83eagwk /WZOkVax9oo0COlW6YA6zg6+7s4ULp6+88XvfaAKA3CF5YarWQ5mRQCN0H6c6OQmiK4NvM 65HKnGg9B+xyhntOBnfycufdAb5E53Gx6xdxhP0WawbfrjtTuwYWUk+ikZP5mA1XMKEaJT PaegsScjFJLA/R/OV8oInBZANptJhWqrh7Y4dQ+iLVJ44vdwkCnjpMCj05yy+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1701814527; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=QdFn04QaMFZNyH0Y8HhHV2atxf6Ylu2aTgG0F2nnsBs=; b=B9QifBeHUetB/KKnsRKGiLwrZKFD3NvPNML4lvHONAlLLtiBmpy4PtvmIYsysUJo2cozqm 3GQJGzHFSEaX+hu5lsD+7dHS1/9LrabwgoPJLj+47RTH7uKFm9dCyDVX6Mm+uZoQCs4Jrx rBeI8ka9a1maOqTvocCxjOOuxRlHehdg9gCiijKgUqudyMnm+WhF8v9Pzs3EbaJTZNjdun 5Nx/fIU2ELyzhY5lZ+ylwYMIQTNmCNOzTVguu3/qnBImvOrvTGH6VW/hbBO0luvl6/hNug kiLY3y7flYjnkufBsmPJk8EKU13AOdHjF4VmH2vPFjfG4ZTG2c5z5c01VY308Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id A2F4514EA5; Tue, 5 Dec 2023 22:15:27 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:17.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20231205221527.A2F4514EA5@freefall.freebsd.org> Date: Tue, 5 Dec 2023 22:15:27 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-announce@freebsd.org X-BeenThere: freebsd-announce@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:17.pf Security Advisory The FreeBSD Project Topic: TCP spoofing vulnerability in pf(4) Category: core Module: pf Announced: 2023-12-05 Credits: Yuxiang Yang, Ao Wang, Xuewei Feng, Qi Li and Ke Xu from Tsinghua University Affects: All supported versions of FreeBSD. Corrected: 2023-12-05 18:24:35 UTC (stable/14, 14.0-STABLE) 2023-12-05 18:26:28 UTC (releng/14.0, 14.0-RELEASE-p2) 2023-12-05 18:25:22 UTC (stable/13, 13.2-STABLE) 2023-12-05 18:28:12 UTC (releng/13.2, 13.2-RELEASE-p7) 2023-12-05 18:31:13 UTC (stable/12, 12.4-STABLE) 2023-12-05 18:38:14 UTC (releng/12.4, 12.4-RELEASE-p9) CVE Name: CVE-2023-6534 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. pf implements TCP state tracking, wherein it maintains metadata for each TCP connection tracked by the firewall and uses this metadata to decide whether to accept or reject packets matching the connection identifiers. II. Problem Description As part of its stateful TCP connection tracking implementation, pf performs sequence number validation on inbound packets. This makes it difficult for a would-be attacker to spoof the sender and inject packets into a TCP stream, since crafted packets must contain sequence numbers which match the current connection state to avoid being rejected by the firewall. A bug in the implementation of sequence number validation means that the sequence number is not in fact validated, allowing an attacker who is able to impersonate the remote host and guess the connection's port numbers to inject packets into the TCP stream. III. Impact An attacker can, with relatively little effort, inject packets into a TCP stream destined to a host behind a pf firewall. This could be used to implement a denial-of-service attack for hosts behind the firewall, for example by sending TCP RST packets to the host. IV. Workaround No workaround is available. Systems which do not use pf(4) are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platfrom on FreeBSD 13 and earlier, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:17/pf.patch # fetch https://security.FreeBSD.org/patches/SA-23:17/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ a47a44c0d69c stable/14-n265915 releng/14.0/ 0019b7058a7a releng/14.0-n265395 stable/13/ ee1d1e38fae6 stable/13-n256844 releng/13.2/ 45e256e24c97 releng/13.2-n254647 stable/12/ r373284 releng/12.4/ r373287 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmVvmWsACgkQbljekB8A Gu8kgxAA0SNvDNzfrivMBDrp3s4q86rLLsDSe3DN4kc+Rtid4R2tf/AzjSO7BVcg O3jvzXtx5RdX+udEbwK26ej+B2N2JCR4L5UC2N0ECo5ECdVd7jCZ5yty9CRawAeE cZZoT028eWeDCMrMI35iO4HTZeT0zF0lER1gTlogQbTzCu4uODSjPvOat/bilmh/ VaXI2ofiVrOpwjhq4t7ksTUK6O0g7LogDF/CEhj1ohEULtHCIDomm+9JuN86CFxJ T0Zd5nePCGMhQBewXir25XFKTFOOAOVGRy79Otx5+gPEg9SucWlwBxMwmhASAHPO 60SCWUt95q/5C2OCyWoFhi6H7303YvinFKO/3FCx9/iTxAh/O86y1d2CU8PRStzk 0kPOoN9fnXP2P27+o0q0Uqn9AiViRWMHC99nM1w6Kxz7wTSvs0dMGrLRQENRs7YF +9Zte+1yqsi/gcWsDkoTJstCJ8E2hjn/h12/LSZyLY3D3qNSdczFWauhIOQFTloj 8MHmzLGUBvWpQNWair4+mb5TpXVuJfFW3XBcQ2XGkUnT0Ws8hU0W/Lxef+wrNHFh aPvT5rF683RH7qX8cnJGkMgPPI4/CTS+U+WePlAITumND8gf/jHaa3qourqLkmSM XV8+9LIVfPimjFDmqpbyi6QxdWo834KP83c8TmzLDNUgEXe9L/k= =s8QG -----END PGP SIGNATURE-----