{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4809", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2023-09-06T17:11:30.349Z", "datePublished": "2023-09-06T19:26:45.833Z", "dateUpdated": "2025-02-13T17:18:10.982Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["pf"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"lessThan": "p3", "status": "affected", "version": "13.2-RELEASE", "versionType": "release"}, {"lessThan": "p5", "status": "affected", "version": "12.4-RELEASE", "versionType": "release"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Enrico Bassetti bassetti@di.uniroma1.it (NetSecurityLab @ Sapienza University of Rome)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed.  That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.</div><div><br></div><div>As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.</div>"}], "value": "In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed.  That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.\n\n\n\n\nAs a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-167", "description": "CWE-167: Improper Handling of Additional Special Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2023-12-21T22:06:15.441Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/5"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/6"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/7"}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0009/"}], "source": {"discovery": "UNKNOWN"}, "title": "pf incorrectly handles multiple IPv6 fragment headers", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:38:00.699Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/6", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/08/7", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231221-0009/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7F6C8B0-9D75-476C-ADBA-754416FBC186", "versionEndExcluding": "12.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA49E374-9F1A-4F62-B88D-CD36EDEA6060", "versionEndExcluding": "13.2", "versionStartIncluding": "13.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:-:*:*:*:*:*:*", "matchCriteriaId": "24920B4D-96C0-401F-B679-BEB086760EAF", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p1:*:*:*:*:*:*", "matchCriteriaId": "3CE32730-A9F5-4E8D-BDA4-6B8232F84787", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p2:*:*:*:*:*:*", "matchCriteriaId": "552E81DE-D409-475F-8ED0-E10A0BE43D29", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p3:*:*:*:*:*:*", "matchCriteriaId": "251CAE22-C3E6-45AD-8301-F36BEE5C6860", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:p4:*:*:*:*:*:*", "matchCriteriaId": "85D94BCA-FA32-4C10-95CD-5D2A69B38A7A", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p1:*:*:*:*:*:*", "matchCriteriaId": "BA821886-B26B-47A6-ABC9-B8F70CE0ACFB", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:12.4:rc2-p2:*:*:*:*:*:*", "matchCriteriaId": "220629AD-32CC-4303-86AE-1DD27F0E4C65", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:-:*:*:*:*:*:*", "matchCriteriaId": "A87EFA20-DD6B-41C5-98FD-A29F67D2E732", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p1:*:*:*:*:*:*", "matchCriteriaId": "2888B0C1-4D85-42EC-9696-03FAD0A9C28F", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.2:p2:*:*:*:*:*:*", "matchCriteriaId": "A3306F11-D3C0-41D6-BB5E-2ABDC3927715", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed.  That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is.\n\n\n\n\nAs a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host."}, {"lang": "es", "value": "En el procesamiento de paquetes pf con una regla 'scrub fragment reassemble', un paquete que contenga m\u00faltiples encabezados de fragmentos IPv6 se reensamblar\u00eda y luego se procesar\u00eda inmediatamente. Es decir, un paquete con m\u00faltiples encabezados de extensi\u00f3n de fragmentos no ser\u00eda reconocido como el payload final correcto. En cambio, un paquete con m\u00faltiples encabezados de fragmentos IPv6 se interpretar\u00eda inesperadamente como un paquete fragmentado, en lugar de como cualquier payload real. Como resultado, los fragmentos de IPv6 pueden eludir las reglas del firewall escritas bajo el supuesto de que todos los fragmentos se han reensamblado y, como resultado, el host los reenv\u00eda o procesa."}], "id": "CVE-2023-4809", "lastModified": "2025-02-13T18:15:47.657", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-06T20:15:08.080", "references": [{"source": "secteam@freebsd.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/08/5"}, {"source": "secteam@freebsd.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/08/6"}, {"source": "secteam@freebsd.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/08/7"}, {"source": "secteam@freebsd.org", "tags": ["Vendor Advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc"}, {"source": "secteam@freebsd.org", "url": "https://security.netapp.com/advisory/ntap-20231221-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/08/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/08/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/08/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-23:10.pf.asc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231221-0009/"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-167"}], "source": "secteam@freebsd.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}