If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
The news was released by NetSecurityLab, in which they mention that have identified a vulnerability (listed under CVE-2023-4809) in the FreeBSD “pf” packet filter code.
It is mentioned that the vulnerability can be exploited to allow bypassing IPv6 blocking rules manipulating fragmented IPv6 packets. The problem occurs when using pf to filter IPv6 traffic with the "scrub fragment reassemble» enabled.
PF is developed as part of the OpenBSD base system. Despite this, it has been successfully ported to other systems, such as FreeBSD, which gradually adopted it, first as a package and then it became one of the three filtering subsystems offered by the kernel.
PF is a packet filter originally written for OpenBSD. PF can reassemble fragmented IPv6 packets to apply rules on the reassembled packet. This allows pf to filter upper layer protocol information (e.g. TCP, UDP).
About vulnerability
It is mentioned that the vulnerability is due to a bug that is present in the "atomic" chunk driver, an advanced type of fragmentation in which only the first and only fragment forms a fragmented transmission (a packet is fragmented using only one fragment).
IPv6 packets in “atomic” fragmentation mode that specified more than one fragment extension header were not discarded as invalid, but were processed as separate fragments. Consequently, the rules designed to be applied to the final package reassembled from fragments did not work.
An attacker can bypass PF rules by sending specially crafted IPv6 packets which, contrary to the requirements of the specifications, contain several extended headers with fragmented data.
On the part of the original OpenBSD implementation of PF, it is mentioned that this is not affected by vulnerability, since in 2013, during the implementation of atomic fragments, a check was added to the header parsing code in PF that blocks IPv6 packets with various fragment-specific headers. A function that contains the necessary check has not been ported to FreeBSD, so the system's implementation of PF is affected.
Our tests show that FreeBSD handles these atomic fragments by rebuilding the original package (thanks to the debugging process) but does not apply any rules that apply to layers four and above (for example, the penultimate rule in the configuration above) pf. By doing so, the fragment matches other rules in the firewall configuration and is allowed to pass. Additionally, the debugging process has fixed the packet, so now any operating system behind the firewall accepts the packet.
We verified that we could establish full bidirectional communication between the attacker and the victim behind the FreeBSD firewall, as well as UDP traffic and ICMPv6 traffic between them.
On the other hand, and no less important, it is worth mentioning and taking advantage of the space that we are talking about a vulnerability, that the correction was also made in the FreeBSD wireless stack of a vulnerability (CVE-2022-47522), identified in March and known by the code name MacStealer. This vulnerability affects the queuing mechanism for buffering frames before sending them to recipients, as well as flaws in the management of the security context for queued frames.
The vulnerability could be used to intercept other users' traffic, bypassing client MAC isolation, even if the clients are not allowed to communicate with each other (for example, to attack users on corporate networks where users are separated from each other). yes or where WPA2 and WPA3 protocols are used in client isolation mode).
Finally, it is worth mentioning that the vulnerability was fixed in the form of a patch in the FreeBSD 13.2-p3 and 12.4-p5 updates. Naps interested in knowing more about it, you can check the details in the following link