From nobody Tue Aug 01 21:38:04 2023 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RFpPT38pLz4pt78 for ; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RFpPS51X6z3NmK; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8A3nTx/aWsLePUrDcCYnsUOtY0O5BZbkQ5Q7RgSsOKE=; b=RcxsIBhGRdYRFpJnCCjWJBFRmDi4ENHQPTeq6A1ShpbDBS9tgnCuouQQ4wEuPvbV6YBnSl lhLNfyT/ksZHq8YEAG7FKiqENSEmLuE5OavoaA782qab56p0wSO0IRRHLdyNhpJXVsuBpX MH7C/3d56NiTsTy64J1KDnUJen3XdNb0jdl0vH5s1H5Cdp6kIf5p3lhKTIY3hTTvI3GFVB P9h1Uinvaa8GXaa4kB+v0KhjEIHrKegNbSfmJtMKiYz8UYi3XxweBPoVnkl9gDpZN3c7rI +M1vw8DY/f5+RgFHvqL4QC3QiGkiJes63C3DjJdZlI6BlSvcL+iK3odmal+aQg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1690925884; a=rsa-sha256; cv=none; b=Zrm7qrK+QS8N2ZNJEzLfZOkpDpzmddIyk4naUjfu9DxyZG/QMFRtqvs2m9s1KCfCJAMtJ6 jhxJsUjETd031YpRYL9hhO4VD7D8jbEo4XYMO9Iedk62nRLVZ47iiqeRyXN4+PovPT0yoS 5dUpsMbXxbq7IOd/vsmFPBkSaisn5Pw7M6U1/4H3BB5Cz5FpNimZvWKWb4bZwqD1OQcmXw wt1oPlZpLa4qvK3ntFn8raON4DExQqBWfV3rcPYqICnphlA3ZEr3E4bOhDVpSPRIuDup/5 RAk1V4h9UrWOKLbxr5WBezZhCnilUMKpW3lWNiDS0TzSJOynSQqXY44qDzbbcw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1690925884; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8A3nTx/aWsLePUrDcCYnsUOtY0O5BZbkQ5Q7RgSsOKE=; b=sfd/oIsz+tN/hpjpKJnjmsGt9XyDdRK2B52EyB6FFMqCwCxQSXOX1c1YR/0H14zUwKFFkm QBuB8jro0DQ4njuL9PRWu2ZNaNMvLdI8J0rHrLRwx3hJSnJ0c+qP1eu3s1au1GDUAD9+r+ xC16dt+qwhJnm0sG/2q1NbkLtPbP+RGYRZQL2EULPP2AVX0FugGzjK8vq969bJZXNg8X3r P2H3iWaQUZoWXeqYhQu6vzs0EgVvsY0SKOEXrHCxzMFpcEg8/d5jOX2xa9547O+aY9wZI+ vTXMTd+O/bOz0tILpc6IXcxZQqqb12NMEMqPWguFMbwFvaa/tEZeyZ8sWP1w/w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 55F9719E99; Tue, 1 Aug 2023 21:38:04 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-23:06.ipv6 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20230801213804.55F9719E99@freefall.freebsd.org> Date: Tue, 1 Aug 2023 21:38:04 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security-notifications@freebsd.org X-BeenThere: freebsd-security-notifications@freebsd.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-23:06.ipv6 Security Advisory The FreeBSD Project Topic: Remote denial of service in IPv6 fragment reassembly Category: core Module: ipv6 Announced: 2023-08-01 Credits: Zweig of Kunlun Lab Affects: All supported versions of FreeBSD Corrected: 2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE) 2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2) 2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9) 2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE) 2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4) CVE Name: CVE-2023-3107 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background IPv6 packets may be fragmented in order to accommodate the maximum transmission unit (MTU) of the network path between the source and destination hosts. The FreeBSD kernel keeps track of received packet fragments and will reassemble the original packet once all fragments have been received, at which point the packet is processed normally. II. Problem Description Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header. Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field. III. Impact Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service. IV. Workaround Users with IPv6 disabled on untrusted network interfaces are not affected. Such interfaces will have the IFDISABLED nd6 flag set in ifconfig(8). The kernel may be configured to drop all IPv6 fragments by setting the net.inet6.ip6.maxfrags sysctl to 0. Doing so will prevent the bug from being triggered, with the caveat that legitimate IPv6 fragments will be dropped. If the pf(4) firewall is enabled, and scrubbing and fragment reassembly is enabled on untrusted interfaces, the bug cannot be triggered. This is the default if pf(4) is enabled. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64, i386, or (on FreeBSD 13 and later) arm64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected by the corresponding Git commit hash or Subversion revision number in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/13/ 9515f04fe3b1 stable/13-n255919 releng/13.2/ da38eaca4a22 releng/13.2-n254626 releng/13.1/ 4e548c72914a releng/13.1-n250191 stable/12/ r373149 releng/12.4/ r373152 - ------------------------------------------------------------------------- For FreeBSD 13 and later: Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD For FreeBSD 12 and earlier: Run the following command to see which files were modified by a particular revision, replacing NNNNNN with the revision number: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66 4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/ dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0 mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c= =V/jE -----END PGP SIGNATURE-----