Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1776
IPv6 fragment reassembly panic in pf(4)
17 May 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pf
Publisher: FreeBSD
Operating System: FreeBSD
BSD variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5597
Original Bulletin:
https://security.freebsd.org/advisories/FreeBSD-SA-19:05.pf.asc
https://security.freebsd.org/advisories/FreeBSD-SA-19:06.pf.asc
Comment: This bulletin contains two (2) FreeBSD security advisories.
This advisory references vulnerabilities in products which run on
platforms other than FreeBSD. It is recommended that administrators
running pf check for an updated version of the software for their
operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:05.pf Security Advisory
The FreeBSD Project
Topic: IPv6 fragment reassembly panic in pf(4)
Category: contrib
Module: pf
Announced: 2019-05-14
Credits: Synacktiv
Affects: All supported versions of FreeBSD
Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name: CVE-2019-5597
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.
II. Problem Description
A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last
extension header offset from the last received packet instead of from the
first packet.
III. Impact
Malicious IPv6 packets with different IPv6 extensions could cause a kernel
panic or potentially a filtering rule bypass.
IV. Workaround
Only systems leveraging the pf(4) firewall and include packet scrubbing using
the recommended 'scrub all in' or similar are affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterwards, reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterwards, reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc
# gpg --verify pf.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/12/ r344706
releng/12.0/ r347591
stable/11/ r344707
releng/11.2/ r347591
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc>
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b
6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9
Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI
nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ
xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR
nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN
RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7
Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q
ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY
VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewWcu/
dYefeBMKBukyLUKtLYHjVAhUlL3hF3j/aBu498F6LRCzFcaoIOQ=
=0alQ
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-19:06.pf Security Advisory
The FreeBSD Project
Topic: ICMP/ICMP6 packet filter bypass in pf
Category: contrib
Module: pf
Announced: 2019-05-14
Credits: Synacktiv
Affects: All supported versions of FreeBSD
Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE)
2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4)
2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE)
2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10)
CVE Name: CVE-2019-5598
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
pf(4) is an Internet Protocol packet filter originally written for OpenBSD.
In addition to filtering packets, it also has packet normalization
capabilities.
II. Problem Description
States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in
their payload matching an existing condition. pf(4) does not check if the
outer ICMP or ICMP6 packet has the same destination IP as the source IP of
the inner protocol packet.
III. Impact
A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules
and be passed to a host that would otherwise be unavailable.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Afterwards, reboot the system.
2) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
Afterwards, reboot the system.
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch
# fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc
# gpg --verify pf.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the correction revision numbers for each
affected branch.
Branch/path Revision
- - -------------------------------------------------------------------------
stable/12/ r345377
releng/12.0/ r347593
stable/11/ r345378
releng/11.2/ r347593
- - -------------------------------------------------------------------------
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
VII. References
<URL:https://www.synacktiv.com/posts/systems/icmp-reachable.html>
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc>
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0
iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE
b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+
N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE
DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+
Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl
JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm
UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj
g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq
AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW
Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI=
=m3as
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXN428maOgq3Tt24GAQhFLw//euRdBv25FMbowk9ZaTmozZhqEyvGHmh7
ERQ4GxrYriSIGJ/SVDLcykG33KtH0WUZqGqx91La1DqKuXShU64zrSA4fDg4zLEP
3OLXDaBYCso/CElejikBU3GxP2D50gfTNnQochJwe58w8oUpM3MIin63+oW0Fh/c
7t6fQMM9UcghyAl+kceiqeP351vwOSAeHf+VeZ1FIcreuc+8jgfvcplqHUTEPqXl
+0tIQReHkPhYnj9UASgHvJTfsaRSCslt+dKCDv1snBZWtxhczRlC6IzB7mmQLjzW
qT4219oXBMLP/YXah0VXQNmimFSg4xd9XQHiLIxEt+P5UxkQAo12ec6b6ieKfWX0
F8vuXLXNrrKK+6kbwYzmyQfjH8PsYf+3jVeYRpPNhhgLMVDz9fT3ygIVYFytwbL0
ibGzeYC4ZE4iGDhgS/ULTl3r8nXjQ5+1l6IbhkdiAq4oZzqa/hammLIm0LyJOSDP
DPGFKHV738NLWMV3bCMcEwVUlPyobp4HJvFlMYGzSSfP+xtrHUr43QCjPhQ0zkRr
CeYuYr8p9hAc/a7f1WW4CDE3Mdou88T4BVHTpFZdPsAWqkDR5/KERFzOGBkCzBJh
Kw8x/6uhFH1waE8RXcRVL+TUifTBQMNqs6Z8NXzz3BBrh14FBFQzIeAEKKyzJJKe
rnYFma5GiCs=
=bnQu
-----END PGP SIGNATURE-----