FreeBSD Security Advisory FreeBSD-SA-23:06.ipv6

From: FreeBSD Security Advisories <security-advisories_at_freebsd.org>
Date: Tue, 01 Aug 2023 21:38:04 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-23:06.ipv6                                       Security Advisory
                                                          The FreeBSD Project

Topic: Remote denial of service in IPv6 fragment reassembly

Category:       core
Module:         ipv6
Announced:      2023-08-01
Credits:        Zweig of Kunlun Lab
Affects:        All supported versions of FreeBSD
Corrected:      2023-08-01 19:49:07 UTC (stable/13, 13.2-STABLE)
                2023-08-01 19:51:27 UTC (releng/13.2, 13.2-RELEASE-p2)
                2023-08-01 19:49:52 UTC (releng/13.1, 13.1-RELEASE-p9)
                2023-08-01 20:05:08 UTC (stable/12, 12.4-STABLE)
                2023-08-01 20:05:42 UTC (releng/12.4, 12.4-RELEASE-p4)
CVE Name:       CVE-2023-3107

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

IPv6 packets may be fragmented in order to accommodate the maximum
transmission unit (MTU) of the network path between the source and
destination hosts.  The FreeBSD kernel keeps track of received packet
fragments and will reassemble the original packet once all fragments
have been received, at which point the packet is processed normally.

II.  Problem Description

Each fragment of an IPv6 packet contains a fragment header which
specifies the offset of the fragment relative to the original packet,
and each fragment specifies its length in the IPv6 header.  When
reassembling the packet, the kernel calculates the complete IPv6 payload
length.  The payload length must fit into a 16-bit field in the IPv6
header.

Due to a bug in the kernel, a set of carefully crafted packets can
trigger an integer overflow in the calculation of the reassembled
packet's payload length field.

III. Impact

Once an IPv6 packet has been reassembled, the kernel continues
processing its contents.  It does so assuming that the fragmentation
layer has validated all fields of the constructed IPv6 header.  This bug
violates such assumptions and can be exploited to trigger a remote
kernel panic, resulting in a denial of service.

IV.  Workaround

Users with IPv6 disabled on untrusted network interfaces are not
affected.  Such interfaces will have the IFDISABLED nd6 flag set in
ifconfig(8).

The kernel may be configured to drop all IPv6 fragments by setting the
net.inet6.ip6.maxfrags sysctl to 0.  Doing so will prevent the bug from
being triggered, with the caveat that legitimate IPv6 fragments will
be dropped.

If the pf(4) firewall is enabled, and scrubbing and fragment reassembly
is enabled on untrusted interfaces, the bug cannot be triggered.  This
is the default if pf(4) is enabled.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date and
reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch
# fetch https://security.FreeBSD.org/patches/SA-23:06/ipv6.patch.asc
# gpg --verify ipv6.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected by the corresponding Git commit hash or Subversion
revision number in the following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/13/                              9515f04fe3b1    stable/13-n255919
releng/13.2/                            da38eaca4a22  releng/13.2-n254626
releng/13.1/                            4e548c72914a  releng/13.1-n250191
stable/12/                                                        r373149
releng/12.4/                                                      r373152
- -------------------------------------------------------------------------

For FreeBSD 13 and later:

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

For FreeBSD 12 and earlier:

Run the following command to see which files were modified by a particular
revision, replacing NNNNNN with the revision number:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3107>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-23:06.ipv6.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmTJdsAACgkQbljekB8A
Gu8rERAA2iGzA4ydDrYsKnNGXMtQEXRIkGOPOkCSB1fC6CGIWLD//XuPw7sISPNu
vvt0DVlkOC/ZKjgUQVWDLHd/DWcEv6prhhCUEPEQ57nwvgfa9/oZNqF0ZvVgdyst
OUc7wO3Pt9lAp6fPkay0LGmsHLlgRJR1VqUQ6fnWvJ7jRllsvIdjxr8krIwYyyVn
E7U8+lBYoBmQLMql0jgiQ3S4FZ5kYX6MN9r2I1/nSQdE6IUOiqL0oux9H2PDTz3r
mx9nYSrsd0WPNVO7n7GRnk48STwJryJNdY7tCZOUGsmOOtQAnXvF/ZYDQOMK1L66
4d5XFVXTwYdHDwDbXMPCCqa+MsZyjrgz8NmNzcto1l0mClz1SGNW9MKmxTKU7op/
dNTjziffvwxZefpFPv+r9ZEyJpPe1rcNgOskJFW4DVq0uNSaujPkHE77hkE93ozF
ScDErtexPV+OEQyqGTgO4MxTjlk2l9DZGFVrLl+8Js1sFfLXlReGHLA2xtDtxJL0
mLo1WtKq8Oq3XPBdU0UoAw3Wlp+BOZ7cY5AVk7IY5zU0T2jQP636QgzX33ZTynkD
oLtFufJBOWMSPNx9bTFautEoNsivtKcOl3XWEKKgEqt4b+9h6VGU0tFjfRuozjxJ
QAaYf0qXk9kfHp4EdHj4CeSoeZKgHCExJxpfX54qBGH/TY3Dd4c=
=V/jE
-----END PGP SIGNATURE-----