pf Fragment Reassembly Bypass Enables Unintended Fragment Forwarding
CVE-2023-4809 Published on September 6, 2023
pf incorrectly handles multiple IPv6 fragment headers
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.
As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.
Weakness Type
Improper Handling of Additional Special Element
The software receives input from an upstream component, but it does not handle or incorrectly handles when an additional unexpected special element is provided.
Products Associated with CVE-2023-4809
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 13.2-RELEASE and below p3 is affected.
- Version 12.4-RELEASE and below p5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.