FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- pf incorrectly matches different ICMPv6 states in the state table

Affected packages
14.1 <= FreeBSD-kernel < 14.1_3
14.0 <= FreeBSD-kernel < 14.0_9
13.3 <= FreeBSD-kernel < 13.3_5

Details

VuXML ID f140cff0-771a-11ef-9a62-002590c1f29c
Discovery 2024-08-07
Entry 2024-09-20

Problem Description:

In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a zero as identifier to match the state created by the Neighbor Discovery and allow replies to be generated.

Impact:

ICMPv6 packets with identifier value of zero bypass firewall rules written on the assumption that the incoming packets are going to create a state in the state table.

Note:

This advisory introduced additional issues that were addressed by FreeBSD-EN-24:16.pf. Please refer to that erratum for additional fixes.

References

CVE Name CVE-2024-6640
FreeBSD Advisory SA-24:05.pf
URL https://www.freebsd.org/security/advisories/FreeBSD-EN-24:16.pf.asc

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.